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OVERSIGHT OF FINANCIAL STABILITY AND 
DATA SECURITY 


THURSDAY, FEBRUARY 6, 2014 

U.S. Senate, 

Committee on Banking, Housing, and Urban Affairs, 

Washington, DC. 

The Committee met at 10:14 a.m. in room SD-538, Dirksen Sen- 
ate Office Building, Hon. Tim Johnson, Chairman of the Com- 
mittee, presiding. 

OPENING STATEMENT OF CHAIRMAN TIM JOHNSON 

Chairman JOHNSON. I call this hearing to order. 

Today, the Committee continues its oversight of the implementa- 
tion of the Dodd-Frank Wall Street Reform and Consumer Protec- 
tion Act. There has been good progress since our last hearing, in- 
cluding the completion of the long-awaited Volcker Rule. I believe 
our economy is on much more stable footing, in part due to the ef- 
forts of our witnesses and their staffs. 

However, there is still work to be done, and oversight will con- 
tinue to be a top priority for this Committee. Some of the pending 
work includes enhanced capital, leverage, and liquidity rules for 
the largest banks, a new regulatory framework for nonbank finan- 
cial companies designated as SIFIs, QRM, and the new derivatives 
rules. I have asked the witnesses to outline their timeline for com- 
pleting these and other rules and to provide information on how 
each agency’s rules will reduce systemic risk and enhance financial 
stability. 

To date, the regulators have been thoughtful and responsive. For 
example, they worked quickly to address a concern raised by com- 
munity banks that the Volcker Rule unintentionally could have re- 
sulted in large, unexpected losses for some. I ask that the agencies 
continue to monitor the impact of their actions and to coordinate 
their ongoing work. Agency implementation of Wall Street Reform 
should also continue to be focused on institutions and activities 
that pose the greatest systemic risks. Final rules should not be 
one-size-fits-all for banks and insurance companies, nor should 
they impose unnecessary burdens on community banks and credit 
unions. 

In recent weeks, American consumers have been victims of large 
data breaches at national retailers, their personal information ex- 
posed to identity theft and fraud. Those responsible must be held 
accountable, and we must examine what more can be done to bet- 
ter safeguard consumer information going forward. I have asked 
each agency to detail its coordination with other regulators and law 
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enforcement on data breaches, as well as each agency’s role in the 
retail payment system. 

Wall Street Reform created an important financial stability 
watchdog, the FSOC. In its most recent annual report, the FSOC 
identified securities threats in cyberspace as a potential systemic 
risk. I want to hear what each agency testifying today is doing to 
mitigate cyber and other data security risks, as well as protect con- 
sumer data at the agencies they regulate. 

I now turn to Ranking Member Crapo for his opening statement. 

STATEMENT OF SENATOR MIKE CRAPO 

Senator Crapo. Thank you, Mr. Chairman. 

I have repeatedly stressed the need for the U.S. banking system 
and capital markets to remain the preferred destination for inves- 
tors throughout the world. While it is too early to tell the extent 
to which our overall Dodd-Frank rules will make our financial sys- 
tem more stable. Federal regulators must ensure that we do not tip 
the balance of the scales with too heavy a hand. Otherwise, the cu- 
mulative effect of the rules and their interaction with each other 
may burden the economy far more than any stabilizing benefit. 

In addition, it is paramount that the regulators understand the 
full spectrum of the rules they are implementing and any con- 
sequences before finalizing the rules. This was evident in December 
when the regulators issued the final Volcker Rule and, as the 
Chairman mentioned, did not realize that the accounting rules 
would force community banks to recognize unrealized market 
losses. Regulators worked hard over the holidays to fix this for 
community banks, but the bigger question is why, after 3 years of 
promulgating the rule, did no regulator foresee this situation. 

This incident with the Volcker Rule only reinforces my belief that 
we need targeted fixes of various Dodd-Frank provisions. Some of 
those fixes include the end-user exemption, the swaps push-out, 
and community banks relief, as identified by Chairman Bernanke 
last year. 

In addition to ensuring that regulators take appropriate actions 
on the rulemaking front, they must also take necessary steps to en- 
sure that our payment system and financial data are adequately 
protected. One of the top priorities for this Committee is protection 
of consumer financial data and the integrity of the U.S. payment 
system. Even the Financial Stability Oversight Council, FSOC, has 
identified data security as an emerging threat to our financial sta- 
bility. 

At the Subcommittee hearing on Monday, Members started a dis- 
cussion about the standards used to protect consumer data, the 
payment technologies available, and the roles of all parties in the 
payment system. The U.S. payment system is a shared enterprise. 
While parties approach the system from different positions, every- 
one recognizes and benefits from the fast, safe, and accurate trans- 
mission of consumer financial data. 

Whether we use credit cards at the gas station, the grocery store, 
or even use our smartphones to purchase a sandwich or a book, ev- 
eryone expects a safe and secure system for our financial informa- 
tion. Recent data breaches reveal just how much information dif- 
ferent entities collect about consumers. 
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Financial institutions of all sizes face a thorough examination 
process and oversight by regulators when it comes to data security, 
but there are many entry points that could be attacked in our pay- 
ment system. We must answer three key questions. 

First, are the existing regulatory tools adequate to protect all ac- 
tors in the payment system and capable of safeguarding our finan- 
cial information? 

Second, with so many stakeholders affected by recent data 
breaches, how can we minimize the damage to consumers and 
make the system less vulnerable? 

And, third, should industry participants consider new tech- 
nologies that may improve the safety of the payment system, and 
if so, what technologies are most appropriate? 

Recent hearings have also unveiled that Federal regulators, in- 
cluding the witnesses before us today, collect vast amounts of con- 
sumer financial data and information. Regulators still have not 
provided a sound rationale, in my opinion, for all of the data they 
collect. Their data collection needs to be as safe and as secure as 
possible so consumers will not have to fear a data breach at the 
Federal Government level, and I will add, so consumers do not 
have to fear the misuse of that data being collected by the Govern- 
ment. 

Today, our witnesses will address some of these issues and their 
role in protecting consumers’ financial information and the stability 
of our payment system, and I look forward to the discussion. 

Thank you, Mr. Chairman, for holding this hearing. 

Chairman JOHNSON. Thank you. Senator Crapo. 

I would like to allow for more time for questions, but would any 
Member like to make a brief opening statement? Senator Reed. 

STATEMENT OF SENATOR JACK REED 

Senator Reed. Well, thank you very much, Mr. Chairman. I will 
make a very brief opening statement. I have to shortly go to the 
floor to continue to work for the extension of unemployment bene- 
fits for 1.7 million Americans. But, before I do, I wanted to make 
some very brief comments. 

As I have said previously, it is important to finish implementing 
Dodd-Frank such as the SEC’s need to finish its share of the de- 
rivatives rules relating to security-based swaps, and I would urge 
moving as quickly and diligently as possible. 

Lastly, in light of the Target data breach and its widespread im- 
pact on our constituents, I urge and expect all of the regulators 
here today to take a fresh and careful look at beefing up their cyber 
and data security standards to ensure that the regulators them- 
selves and those entities under this jurisdiction are ahead of the 
curve and do not fall victim to cyber and data breaches. 

And with that, thank you, Mr. Chairman, for your consideration. 

Chairman JOHNSON. Anyone else? 

[No response.] 

Chairman JOHNSON. I would like to remind my colleagues that 
the record will be open for the next 7 days for opening statements 
and any other materials you would like to submit. 
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Now, I would like to introduce our witnesses. Mary Miller is the 
Under Secretary for Domestic Finance at the U.S. Department of 
the Treasury. 

Dan Tarullo is a member of the Board of Governors of the Fed- 
eral Reserve System. 

Martin Gruenberg is the Chairman of the Federal Deposit Insur- 
ance Corporation. 

Tom Curry is the Comptroller of the Currency. 

Mary Jo White is the Chair of the Securities and Exchange Com- 
mission. 

Mark Wetjen is the Acting Chairman of the Commodities Fu- 
tures Trading Commission. 

I thank all of you for being here today. I would like to ask the 
witnesses to please keep your remarks to 5 minutes. Your full writ- 
ten statements will be included in the hearing record. 

Under Secretary Miller, you may begin your testimony. 

STATEMENT OF MARY J. MILLER, UNDER SECRETARY FOR 
DOMESTIC FINANCE, DEPARTMENT OF THE TREASURY 

Ms. Miller. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for inviting me to testify 
today on behalf of the Treasury Department. 

I would like to update the Committee on several important regu- 
latory developments since I appeared before you last July, Treas- 
ury’s role in enhancing cybersecurity in the financial sector, and 
our 2014 priorities. 

From his first day in office. Secretary Lew stressed the impor- 
tance of finishing work on the Volcker Rule and the importance of 
having a single, strong final rule that was true to President 
Obama’s proposal and the statute’s intent. The final rule adopted 
in December will protect taxpayers by ending banks’ speculative 
proprietary trading and restricting their investments in private eq- 
uity and hedge funds, while maintaining deep liquid financial mar- 
kets and allowing banks to hedge those risks. 

We also made progress implementing Title II of Dodd-Frank. All 
of the firms required to submit living wills have now done so, and 
the largest bank holding companies submitted their second round 
of living wills last fall. 

In December, the FDIC sought public comment on an important 
document detailing the single point-of-entry strategy to facilitate 
the orderly liquidation of a failing financial company. 

Last summer, the Financial Stability Oversight Council des- 
ignated American International Group, General Electric Capital 
Corporation, and Prudential Financial for enhanced prudential 
standards and consolidated supervision by the Federal Reserve. In 
September, the Office of Financial Research released a study of 
asset management activities to help inform the Council’s under- 
standing of potential risks in this sector. 

We also continued to make progress on derivatives reform. The 
CFTC finalized its guidance on how Dodd-Frank applies to cross- 
border transactions, and the CFTC and European Commission 
agreed on a path forward, laying out their joint understanding re- 
garding those issues. 
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In September, an international working group finalized margin 
standards for noncentrally cleared derivatives transactions. U.S. 
regulators are now working to adopt these standards domestically 
and we expect these rules to be finalized this year. 

In addition, later this month, trading in several interest rate and 
credit derivatives markets will be required to take place on new 
electronic trading platforms. 

In December, Treasury’s Federal Insurance Office released a re- 
port setting out 27 recommendations designed to bring our insur- 
ance regulatory system into the 21st century. 

Another area of growing concern for Treasury and the Council is 
the vulnerability of our financial sector infrastructure to cyber 
events. I want to thank the Committee for choosing to focus part 
of today’s hearing on this topic. The changing nature of these cyber 
threats prompted the Financial Stability Oversight Council last 
year to highlight cybersecurity as worthy of heightened risk man- 
agement and supervisory attention. Under the President’s Execu- 
tive Order on cybersecurity. Treasury also serves as a sector-spe- 
cific agency for the financial sector, with a leading role in informa- 
tion sharing and a coordinating role in incident response. 

Finally, I would like to highlight for the Committee a few areas 
where Treasury intends to direct significant attention this year to 
complete outstanding pieces of financial reform. We will take steps 
to promote consistent implementation of global capital and liquidity 
standards. We have forged ahead in implementing key derivatives 
reforms, and we need to make sure similar reforms are put in place 
around the globe. Treasury and the regulators will continue to 
closely collaborate with our international counterparts through fo- 
rums like the Financial Stability Board and on a bilateral basis to 
address obstacles to resolving large cross-border firms. 

Of course, there is still much to be done domestically, as well. As 
was the case with the Volcker Rule, Secretary Lew, as Chairperson 
of the FSOC, is responsible for coordinating the joint rulemaking 
to implement the risk retention rule. The rule was re-proposed last 
year, and completion of these regulations in 2014 is a key priority 
for the Treasury. 

The last year was a busy one and we made substantial progress 
in financial regulatory reform. These reforms have made our finan- 
cial system stronger, more stable, and more focused on fulfilling its 
core function of facilitating growth of the broader economy. That 
does not mean we will be able to relax our guard. The crisis re- 
vealed that regulation and oversight failed to keep pace with an 
evolving financial system and demonstrated why we must always 
remain vigilant to potential emerging risks in financial institutions 
and markets. 

Thank you, and I look forward to taking your questions. 

Chairman JOHNSON. Thank you. 

Governor Tarullo, you may proceed. 

STATEMENT OF DANIEL K. TARULLO, GOVERNOR, BOARD OF 
GOVERNORS OF THE FEDERAL RESERVE SYSTEM 

Mr. Tarullo. Thank you, Mr. Chairman, Senator Crapo, and 
other Members of the Committee. 
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Let me make four quick points in beginning today. First, with re- 
spect to the rulemaking agenda, in a hearing before this Committee 
just about a year ago, I expressed the hope and the expectation 
that 2013 would be the beginning of the end of the major portion 
of rulemakings implementing Dodd-Frank and strengthening cap- 
ital rules. Specifically, at that time, I anticipated, first, that we 
would issue final regulations on the Volcker Rule, capital rules. 
Section 716, some of the special prudential requirements for sys- 
temically important firms, and, second, that we would issue pro- 
posed rules on the capital surcharge for systemically important 
banks and the liquidity coverage ratio. 

In the event, we did get final rules on Section 716, the Volcker 
Rule, and the LCR proposal done in 2013. We also issued a final 
rule implementing Section 318, which requires an assessment on 
large financial institutions for supervisory expenses. We did not get 
the additional Section 165 final rule or the SIFI surcharge pro- 
posed rule out, but these, along with completion of the additional 
leverage ratio for systemically important firms, are the priorities to 
be taken up in the near term. 

Second, we continue to refine our stress testing and our annual 
comprehensive capital analysis exercise. We have broadened the 
nature of risks incorporated into the scenarios we develop. We have 
issued a policy statement describing our approach to scenario de- 
velopment. And we have issued a paper covering expectations for 
internal capital planning at large firms. These and other refine- 
ments which have been informed by the extensive commentary and 
advice we get from banks, technical experts, and policy analysts, 
continue to improve what I think is the single most important 
change in supervisory practice since the financial crisis. 

Third, as I have said before, we need to address more com- 
prehensively the systemic risks potentially posed by heavy reliance 
on short-term wholesale funding, both by the largest institutions 
and more generally in financial markets, particularly those ar- 
rangements for securities finance transactions. We have been dis- 
cussing internally ideas for doing so, some of which I have sketched 
out in some recent speeches. I do not want to give a timeframe for 
when we may have proposals in this area, but I do want to reit- 
erate the importance we attach to this issue. 

Finally, with respect to cybersecurity, I would make a few gen- 
eral observations. First, the recent data breaches at some retailers 
and Internet service providers underscore the extent to which the 
effective scope of the payment system involves many more inter- 
mediaries than just regulated depository institutions. The weakest 
links in any part of that chain will be exploited by criminals and 
other malefactors. 

Second, while the recent episodes involve data security breaches 
resulting in the theft of card and other consumer information, they 
should also remind us that cybersecurity is an even broader con- 
cern, implicating the integrity of our financial system and the rest 
of the economy. You all remember, I am sure, the denial of service 
attacks on numerous U.S. banks over the past couple of years. 

Third, we should not think of either the recent data breaches or 
any other cybersecurity problems as discrete problems susceptible 
to solutions, but rather as new conditions of continuing vulner- 
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ability that will require adaptive, dynamic responses by both Gov- 
ernment and the private sector. 

Thank you for your attention. I would be pleased to answer any 
questions you might have. 

Chairman JOHNSON. Thank you. 

Chairman Gruenberg, please proceed. 

STATEMENT OF MARTIN J. GRUENBERG, CHAIRMAN, 
FEDERAL DEPOSIT INSURANCE CORPORATION 

Mr. Gruenberg. Chairman Johnson, Ranking Member Crapo, 
Members of the Committee, thank you for the opportunity to testify 
today on the FDIC’s actions to implement the Dodd-Frank Act and 
to provide oversight of financial institutions’ data integrity efforts. 

The adoption of the final Volcker Rule in December by the agen- 
cies testifying today was a significant milestone in the implementa- 
tion of the Dodd-Frank Act. The purpose of the Volcker Rule, as 
you know, is to limit certain risky activities of banking entities that 
are supported by the public safety net, whether through deposit in- 
surance or access to the Federal Reserve’s discount window. In gen- 
eral, the rule prohibits banking entities from engaging in propri- 
etary trading activities and places limits on the ability of banking 
entities to invest in or have certain relationships with hedge funds 
and private equity funds. The proprietary trading restrictions of 
the rule seek to balance the prudential restrictions of the Volcker 
Rule while preserving permissible underwriting, market making, 
and risk-mitigating hedging activities. 

In response to concerns raised by commentors, the final rule pro- 
vides compliance requirements that vary based on the size of the 
banking entity and the amount of covered activities it conducts. For 
example, the final rule imposes no compliance burden on banking 
entities that do not engage in activities that are covered by the 
Volcker Rule. Most community banks will not need to make 
changes to their policies and procedures and will have no new re- 
porting requirements, provided they do not engage in activities cov- 
ered by the rule. 

We also recognize that clear and consistent application of the 
final rule across all banking entities will be extremely important. 
To help ensure this consistency, the five agencies have formed an 
interagency Volcker Rule Implementation Working Group. The 
Working Group has begun meeting and will meet regularly to ad- 
dress reporting, guidance and interpretation issues to facilitate 
compliance with the rule. 

The FDIC has made additional progress in other areas of the 
Dodd-Frank Act that are described in my written statement, in- 
cluding the risk retention requirement, which seeks to ensure that 
securitization sponsors have appropriate incentives for prudent un- 
derwriting. 

In addition, the FDIC continued to make progress on the provi- 
sions of the Dodd-Frank Act relating to the resolution of system- 
ically important financial institutions, or SIFIs. Using the stand- 
ards provided in the statute, the FDIC and the Federal Reserve are 
currently reviewing the revised resolution plans required under 
Title I of Dodd-Frank for the largest most systemically significant 
financial institutions. 
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The FDIC also issued a Federal Register notice for public com- 
ment providing a detailed description of the Single Point of Entry 
strategy developed by the FDIC to implement the Title II resolu- 
tion authorities under the Act. 

Finally, we have continued our active engagement with foreign 
jurisdictions that will be important to the cross-border resolution of 
a SIFI, including the United Kingdom, Germany, Switzerland, 
Japan, and the European Commission. 

The FDIC also joined with the Federal Reserve and the OCC in 
issuing rules that significantly revise and strengthen risk-based 
capital regulations through implementation of the Basel III inter- 
national accord. The agencies also issued an NPR that would sig- 
nificantly strengthen the supplementary leverage capital require- 
ments in the Basel III rulemaking for the eight largest bank hold- 
ing companies and their insured banks. Completion of this NPR is 
a top priority for the FDIC. 

In regard to the issue of data integrity, the FDIC treats data se- 
curity as a significant risk area due to its potential to disrupt bank 
operations, harm consumers, and undermine confidence in the 
banking system and the economy. The FDIC’s most direct role in 
ensuring cybersecurity within the financial sector is through its on- 
site examination programs of financial institutions and third-party 
service providers. These examinations are designed to ensure that 
financial institutions protect both bank and customer information. 

The FDIC is actively providing our supervised banks with assist- 
ance in planning and training for cyber threats. This includes a 
new program directly designed to assist community banks in plan- 
ning for cyber threats. We are also working with our FFIEC col- 
leagues through the Cybersecurity and Critical Infrastructure 
Working Group to strengthen examination policy, training, infor- 
mation sharing, and incident communication and coordination. 

Mr. Chairman, that concludes my remarks. I would be glad to re- 
spond to questions. 

Chairman JOHNSON. Thank you. 

Comptroller Curry, please proceed. 

STATEMENT OF THOMAS J. CURRY, COMPTROLLER OF THE 

CURRENCY, OFFICE OF THE COMPTROLLER OF THE CUR- 
RENCY 

Mr. Curry. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for the opportunity to ap- 
pear before you today. 

Your invitation asked for our thoughts on a range of important 
issues, and my written testimony covers those matters in detail. In 
the time I have now, I would like to speak briefly about what the 
OCC is doing to improve the security of consumer financial infor- 
mation held by banks, implement the Dodd-Frank Act, and im- 
prove our own supervisory processes. 

First, let me say that there are few issues of greater concern to 
me or to the OCC than the increasing risk of cyber attacks. The 
data breaches at Target, Neiman Marcus, as well as recent denial 
of service attacks on some banks, are more than just an inconven- 
ience for banks and their customers. The affected customers pay a 
price in terms of the time lost monitoring accounts as well as the 
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very real expense incurred in restoring their credit information, 
even though they are generally protected against fraudulent 
charges by their financial institutions. Banks bear the expense of 
replacing cards, providing credit monitoring services, and reimburs- 
ing customers for fraud losses. 

Moreover, every data breach raises questions about the security 
of our retail payment systems, which can diminish public con- 
fidence. Further, I am concerned that these cyber attacks are be- 
coming increasingly sophisticated and may impair our financial 
sector’s critical infrastructure. 

The banking sector is highly regulated and subject to stringent 
information security requirements. Banks and their service pro- 
viders must protect both their own systems and their customers’ 
data and respond promptly when any breach of customer informa- 
tion occurs. Moreover, the OCC regularly updates our supervisory 
practices and industry guidance to keep pace with the rapidly 
changing nature of cyber threats. For example, we recently issued 
updated guidance on third-party vendors to stress our expectation 
that banks have appropriate risk management practices in place 
for these relationships. We also encourage ongoing outreach to 
bankers to share information on emerging threats. 

One of my first initiatives as Chairman of the Federal Financial 
Institutions Examination Council was to establish a working group 
on cybersecurity issues. This group has already met with intel- 
ligence, law enforcement, and homeland security officials to share 
information and is exploring additional actions we can take to en- 
sure that banks of all sizes have the ability to safeguard their sys- 
tems. 

We have also made great progress in implementing the Dodd- 
Frank Act and in strengthening the resiliency of the banking sys- 
tem by requiring enhanced capital reserves and liquidity. For ex- 
ample, we finalized a rule requiring that an institution’s lending 
limit calculation account for credit exposure arising from deriva- 
tives and securities financing transactions. 

Last year, the OCC along with the other rulemaking agencies 
adopted final regulations implementing the Volcker Rule, which 
bars banks from engaging in proprietary trading and limits their 
ability to invest in or sponsor hedge funds or private equity funds. 
Throughout the interagency rulemaking, the OCC worked to mini- 
mize the compliance burden on community banks that are engaged 
in limited activities while ensuring that the largest banks are sub- 
ject to robust compliance and reporting requirements. 

But, while Congress gave us a number of important tools to help 
preserve the stability of the banking and financial system, it would 
be a mistake to overlook the important role of supervision to the 
health of the banking industry. Since the crisis, the OCC has taken 
a number of steps to help ensure the future strength of the indus- 
try. 

For example, we developed a set of heightened standards for 
large bank management and boards of directors. We expect large 
banks to meet the highest standards for risk management and cor- 
porate governance. We have proposed to include these standards as 
enforceable guidelines in our Part 30 regulation, which will im- 
prove our ability to enforce them. 
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At the same time, we have also taken a hard look at our own 
supervision program. Last year, I asked a team of senior inter- 
national supervisors to provide a frank and independent assess- 
ment of the way we supervise large institutions. Their thoughtful 
response notes strengths in our program and identifies areas in 
which we can improve. We are evaluating how best to implement 
their recommendations. 

This is not an easy thing for an agency to do, and I have been 
impressed with the willingness of OCC staff to embrace every op- 
portunity to improve. That attitude is the mark of a healthy orga- 
nization, and it is one of the reasons I believe that the OCC con- 
tinues to be ready to meet the challenges of supervising a rapidly 
changing industry. 

Thank you, and I look forward to your questions. 

Chairman JOHNSON. Thank you. 

Chair White, please proceed. 

STATEMENT OF MARY JO WHITE, CHAIR, SECURITIES AND 
EXCHANGE COMMISSION 

Ms. White. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for inviting me to testify 
about the SEC’s ongoing implementation of the Dodd-Frank Act 
and the important issue of data security. 

The Dodd-Frank Act significantly expanded the regulatory re- 
sponsibilities of the SEC. It enhanced the SEC’s authority over 
credit rating agencies and clearing agencies and strengthened our 
regulation of asset-backed securities. It gave the SEC new respon- 
sibilities over municipal advisors and hedge fund and other private 
fund advisors, and required a new oversight regime for over-the- 
counter derivatives. It also created a whistleblower program and 
provided the SEC with additional enforcement tools, which we are 
using. 

Implementing the Dodd-Frank Act has required the SEC, as you 
know, to undertake one of the largest and most complex agendas 
in the history of the agency, with more than 90 provisions requir- 
ing rulemaking and more than 20 others requiring studies or re- 
ports. In addition, the Dodd-Frank Act and the financial crisis that 
preceded it have focused the SEC’s efforts more directly on enhanc- 
ing financial stability and reducing systemic risks. 

While certainly more work remains, we have made substantial 
progress implementing this agenda. Since I arrived at the Commis- 
sion in April 2013, we have advanced rules and other initiatives 
across the wide range of regulatory objectives set by the Dodd- 
Frank Act for the SEC. 

We have adopted final rules for the registration of municipal ad- 
visors. We have analyzed the first complete set of data from reg- 
istered advisors to private funds so that the SEC and Financial 
Stability Oversight Council can better assess their impact on finan- 
cial stability. We have issued a comprehensive rule proposal for the 
cross-border application of our regulatory framework for security- 
based swaps. We have adopted a rule to further safeguard cus- 
tomer funds and securities held by broker-dealers. 

We have removed references to credit ratings in our broker-deal- 
er and investment company regulations. We have proposed a rule 
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to disclose the ratio of compensation a public company pays its 
CEO relative to what it pays its median employee. We have final- 
ized a rule disqualifying felons and other bad actors from an impor- 
tant private securities offering exemption. 

We and others have re-proposed a rule concerning the retention 
of certain credit risk by securitizers of asset-backed securities. And, 
we and others here today have adopted a final Volcker Rule that 
is consistent with the language and purpose of the Dodd-Frank Act 
and that preserves the benefits of diverse and competitive markets. 

These measures are in addition to the rules we have advanced 
and reports we have completed to implement the JOBS Act, includ- 
ing by permitting the use of general solicitation in certain private 
offerings, crowdfunding, and updating and expanding Regulation A, 
and they are also in addition to other significant initiatives, includ- 
ing our proposals to reform money market funds and to enhance 
the responsibilities of key market participants over their techno- 
logical systems. Completing the rulemakings and studies mandated 
by the Dodd-Frank and JOBS Act remains among my top priorities 
for 2014. 

Under the Dodd-Frank Act, the Commission also has taken addi- 
tional steps to protect customer data. Last April, the SEC and 
CFTC jointly adopted Regulation SID, which requires certain regu- 
lated financial institutions and creditors to adopt and implement 
policies and procedures designed to identify and address red flags 
signaling the possible theft of a customer or client’s identity. Regu- 
lation SID built upon the SEC’s existing Regulation SP, which re- 
quires registered broker-dealers, investment companies, and invest- 
ment advisors to adopt written policies and procedures instituting 
safeguards for the protection of customer records and information. 

The SEC monitors and enforces compliance with these rules and 
regulations through our examination and enforcement programs. 
Examinations of registrants relating to data protection and infor- 
mation security continues to be an exam priority for the SEC’s Na- 
tional Exam Program, and in recent years, the SEC has also 
brought enforcement actions for a registrant’s failure to adopt rea- 
sonable policies and procedures to protect customer information 
from imminent threats and for failure to respond or follow up on 
security threats despite red flags. There is no question that data 
protection is a critical national and global priority on which both 
the private and public sectors must continue to closely focus. 

Thank you again for the opportunity to testify today. I would be 
pleased to answer any questions. 

Chairman JOHNSON. Thank you. 

Chairman Wetjen, please proceed. 

STATEMENT OF MARK P. WETJEN, ACTING CHAIRMAN, 
COMMODITY FUTURES TRADING COMMISSION 

Mr. Wetjen. Good morning. Chairman Johnson, Ranking Mem- 
ber Crapo, and Members of the Committee. I am pleased to join my 
fellow regulators in testifying today, and it is great to be back in 
the Senate. 

As this Committee is well aware, the Commodities Futures Trad- 
ing Commission was given significant new responsibilities through 
the passage of the Dodd-Frank Act. The Commission has substan- 
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tially met those responsibilities with only a few rulemakings re- 
maining. As a result, nearly a hundred swap dealers and major 
swap participants have registered with the Commission and be- 
come subject to new risk management and business conduct re- 
quirements. Counterparty credit risk has been reduced through the 
Commission’s clearing mandate. And pre- and post-trade trans- 
parency in the swaps market exists where it did not before. 

The Commission also has adopted cross-border policies that ac- 
count for the varied ways that risk can be imported into the United 
States. Congress recognized in Dodd-Frank that even when activi- 
ties do not obviously implicate U.S. interests, they can still create 
less obvious but legally binding obligations that are significant and 
directly relevant to the health of a U.S. firm and that, in aggregate, 
could have a material impact on the U.S. financial system. 

In a matter of days, the compliance date for one of the remaining 
hallmarks of the financial reform effort will arrive, as well, the ef- 
fective date of the swap trading mandate. The Commission also is 
working to complete in the coming months rulemakings for capital 
and margin requirements for uncleared swaps, rulemakings in- 
tended to harmonize global regulations for clearinghouses and trad- 
ing venues, and rules establishing final position limits under the 
Commission’s newest proposal. 

Looking forward, the agency will continue its efforts to ensure an 
orderly transition to the new market structure for swaps. The 
agency staff is presently exploring whether to recommend a num- 
ber of new proposals to address remaining end-user concerns. 

In recent weeks, the Commission also finalized the Volcker Rule. 
Through this effort, the market regulators went beyond the Con- 
gressional requirement to simply coordinate. In fact, the Commis- 
sion’s final rule includes the same substantive rule text adopted by 
the other agencies. The rule strikes an appropriate balance in pro- 
hibiting the types of proprietary trading that Congress con- 
templated while protecting liquidity and risk management through 
legitimate market making and hedging activities. 

Compliance with the Volcker Rule, including the reporting of key 
metrics, will provide the Commission important new information 
that will buttress its oversight of swap dealers and Futures Com- 
mission merchants, which are banking entities under Dodd-Frank 
that are subject to the Commission’s registration rules. 

To ensure consistent, efficient implementation of the Volcker 
Rule, the agencies have established an implementation task force. 
One of the Commission’s goals for this task force will be to avoid 
unnecessary compliance and enforcement efforts by the agency. In- 
deed, this goal is one of necessity for the Commission. Our agency 
remains resource constrained and cannot reasonably be expected to 
effectively police compliance to the fullest extent. The Commission 
is also analyzing whether it can leverage the use of self-regulatory 
organizations, such as the National Futures Association, to assist 
with its responsibilities under the rule. 

Regarding the interim final rule relating to TruPS, the Commis- 
sion last month quickly and unanimously adopted the measure in 
an effort to protect liquidity and markets that are important to 
community banks. In doing so, the agency sought to avoid what 
could have been significant capital and funding consequences for 
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community banks. This is another example of the Commission re- 
sponding promptly to compliance challenges presented to it and 
also demonstrated the enduring commitment of all the agencies 
here to ongoing coordination. 

Related to the Committee’s concerns about customer data 
breaches, the Commission takes seriously its responsibility to pro- 
tect against the loss or theft of customer information. I must note 
that the Commission’s limited examinations staff has an impact on 
its ability to examine and enforce critical rules that protect cus- 
tomer privacy and ensure firms have robust information security 
and other risk management policies in place. 

Nonetheless, the Commission has taken several steps in this 
area, including jointly adopted with the SEC the final rules requir- 
ing our registrants to adopt programs to identify and address the 
risk of identity theft. The Commission also adopted new risk man- 
agement requirements for firms, including policies addressing risks 
related to retail payment systems, including identity theft, unau- 
thorized access, and cybersecurity. 

Additionally, the agency staff is poised to release a staff advisory 
outlining best practices for compliance with provisions of Gramm- 
Leach-Bliley designed to ensure financial institutions protect cus- 
tomer information. In light of recent events, the Commission also 
is presently considering implementing rules under Gramm-Leach- 
Bliley to expand upon our current customer protection regulations 
with more specificity regarding the security of customer informa- 
tion. 

Thank you for inviting me today. I would be happy to answer 
any questions. 

Chairman JOHNSON. Thank you for your testimony. 

As we begin questions, I will ask the Clerk to put 5 minutes on 
the clock for each Member. 

Secretary Miller, what steps will Treasury take to promote co- 
operation between industry, law enforcement, the intelligence com- 
munity, and regulators so that American consumers’ financial in- 
formation is better protected from threats, including cyber attacks 
and data breaches? 

Ms. Miller. Thank you for the question and for the focus on that 
issue at this hearing today. I think I would mention a few things. 

First of all, as you have recognized, the FSOC has highlighted 
this issue in its annual report to call attention to the operational 
risks of financial sector infrastructure in cybersecurity attacks, and 
I think the FSOC will continue to focus on that in terms of bring- 
ing it to the attention of all of its members. 

At the Treasury, we are the sector-specific agency for the finan- 
cial sector on this issue. As such, we have an important role in co- 
ordinating incident responses, but also making sure there is very 
strong information sharing between the private sector itself and be- 
tween the private sector and regulators, and Treasury has stepped 
up to make sure that we can translate information from the intel- 
ligence and the security agencies to the private sector. 

One of the ways we have done that this year is to make sure that 
we have current security clearances for people both in the Govern- 
ment and in the private sector so we can very quickly share infor- 
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mation to make sure that there are no delays in responding to a 
cybersecurity incident. 

Finally, we work with the Executive Order that the President 
has put out on this issue, but we also think it would be very valu- 
able to have comprehensive legislation on cybersecurity. Thank 
you. 

Chairman JOHNSON. Comptroller Curry, as current Chair of the 
FFIEC, is there more than can be done to help financial regulators 
better protect Americans’ financial information regardless of where 
they bank or shop? 

Mr. Curry. Thank you, Mr. Chairman. One of the major focuses 
of our cybersecurity effort at the FFIEC is to make sure that the 
regulated financial institutions are up to the task in the area of 
cybersecurity. The FFIEC is a unique forum that has present in it 
the Federal banking agencies, the consumer protection agency, as 
well as State bank supervisors. So, our focus has been on making 
sure that all financial institutions, including community banks and 
credit unions, are meeting our expectations from a regulatory 
standpoint. 

As part of our program, we are making an assessment of whether 
the overall regulatory structure is effective, from communicating 
awareness of cyber threats, making sure our examination proce- 
dures, our enforcement authorities, which would also include the 
statutory framework, are effective, given the nature of the ongoing 
cyber threats. We will also be, given the incidents relative to the 
data security breaches, focusing on whether or not existing regu- 
latory standards for technology for data security are sufficient and 
whether or not there is a need for greater coordination with other 
players in the ecosystem. Thank you. 

Chairman JOHNSON. Chair White and Chairman Wetjen, in your 
testimony, you highlight a lack of resources as significant chal- 
lenges to your agency. So, specifically, how would the current fund- 
ing levels impact your efforts to protect data and implement and 
enforce Wall Street Reform? Chair White. 

Ms. White. Yes. We do have significant budget challenges which 
impacts a number of our very important IT initiatives. There is 
nothing we value more importantly, however, than data security. 
I think the sophistication of the perpetrators continually evolves, 
and threats to both governments and market participants alike in- 
crease in complexity, really, on a daily basis. And so we do want 
to keep pace with those challenges. 

We clearly will prioritize our resources so as not to compromise 
on data security, but it does present quite a challenge. You know, 
clearly, we are also devoting resources to our examination program 
directed at data security, and to our enforcement program, as well, 
in that space, and the FY 2014 budget request actually asked for 
450 additional positions in enforcement and examination, so, obvi- 
ously, not receiving funding for that, that has an impact. But, we 
intend to keep data security very much in the forefront of our pri- 
orities. 

Chairman JOHNSON. Chairman Wetjen. 

Mr. Wetjen. Thanks, Mr. Chairman. I would echo what Chair 
White said. The main tool that we have is to examine the practices 
of our registered entities. They have a variety of risk management 
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requirements that relate to keeping customer information safe and 
secure, and because we are resource constrained, it is very likely 
we are not going to be able to review and examine those systems 
that the registered entities have in place and so we cannot be sure 
that the data that is being kept by our registered entities is going 
to be as secure as we would like. So, that is the real world expla- 
nation or reason why the challenges we continue to face on the re- 
source front could have an impact on consumers. 

Chairman JOHNSON. Chairman Gruenberg, I commend you and 
your fellow regulators for acting quickly to fix a Volcker Rule issue 
that could have unintentionally harmed community banks. As you 
analyze other rules, what are you doing to minimize unintended 
consequences and monitor the impact on community banks? 

Mr. Gruenberg. Thank you, Mr. Chairman. I think it is fair to 
say that in all of the rulemakings we have been undertaking, the 
agencies across the board have paid particular attention to the im- 
pact on community banks. In the two major rulemakings we did 
last year on the Basel III capital accord as well as the Volcker 
Rule, we made significant changes in the final rulemakings to be 
responsive to comments and concerns raised by community banks. 
We made three significant changes in the Basel III rules responsive 
to the comments. As I noted, in the Volcker Rule, we made adjust- 
ments in the final rule so that for the large majority of community 
banks that do not engage in activities subject to the Volcker Rule, 
that large majority of community banks will have no compliance re- 
quirements under Volcker. 

I would note the importance of the cybersecurity issue to commu- 
nity banks, and perhaps it has been less appreciated because most 
of the focus on cybersecurity has been on the large institutions. 
But, I can tell you, we have an advisory committee of community 
banks from around the country that our board meets with three 
times a year, and when we went through issues of concern to them, 
cybersecurity was near the top of their list. All of them related 
incidences that their institutions experienced. As the larger institu- 
tions have strengthened their defensive positions, there really has 
been a movement down the system. 

So, this, I think, is really an area that needs particular concern, 
and we have developed a number of tools to assist community 
banks in this area. 

Chairman JOHNSON. Senator Crapo. 

Senator Crapo. Thank you, Mr. Chairman. 

Under Secretary Miller, I have a lot of questions that relate to 
Dodd-Frank implementation and data security, but I would be re- 
miss if I did not first raise the issue of housing finance reform that 
is a critical issue before this country. 

As you know, in the State of the Union, the President called on 
Congress to send him legislation that protects taxpayers from foot- 
ing the bill for a housing crisis ever again and keeps the dream of 
home ownership alive for future generations. I just want to ask 
you, as a representative of the Administration here, to confirm that 
the President has, indeed, called on Congress to send him housing 
finance reform legislation and that this is a top priority which we 
need to handle now. 
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Ms. Miller. Thank you for the question. I could not agree with 
you more. This has heen a priority of the Treasury since the day 
I arrived, to make sure that we are planning for a safe and stable 
housing finance system. As you know, last summer, the President 
articulated four important points: One, that we need to design a 
system that brings more private capital back into the housing fi- 
nance market; two, that we design something that winds down the 
GSEs as they performed and make sure that we are protecting the 
taxpayers in a future housing finance system; that we provide 
broad access to credit for creditworthy borrowers who want to own 
a home; and that we also make sure that we provide adequate fi- 
nancing for rental options in this country. 

We are very heartened that the improvement in the housing 
market, the recovery we are seeing in housing prices, the slowing 
or diminution of loan delinquencies and foreclosures is giving us 
the opportunity and the platform now to move forward with hous- 
ing finance reform, and we very much look forward to working with 
Members of this Committee on a bipartisan piece of legislation. 
Thank you. 

Senator Crapo. Well, thank you, and I just wanted to get that 
out there so that it is clear that this is a priority, and I appreciate 
your emphasis on that and your work on this. 

My next question really is not a question, it is more of a state- 
ment about the Volcker Rule, and the reason is because there is 
so much that I want to ask, there is just not time for me to get 
into it right here, so I am simply going to make a statement and 
then I will, with follow-up questions on the record, engage with 
each of you on the Volcker Rule and what we have seen. 

The concern I have is one that I know was raised yesterday in 
hearings and that has been raised significantly, which is that I 
think we are just beginning to see the unintended consequences of 
the Volcker Rule. And, as I mentioned in my opening statement, 
I am a little bit baffled that after 3 years of work on the Volcker 
Rule, none of the agencies foresaw the unintended consequence re- 
lated to CDOs that was fixed, but I am not sure it has been com- 
pletely resolved and properly yet, but at least the issue is the con- 
cern about unintended consequences with the Volcker Rule and the 
problems that we are now seeing highlighted there with the mul- 
tiple regulators having to coordinate with each other and fully con- 
sider all of the dynamics of a very major rule such as this. 

So, I am going to leave it at that right now and not ask you to 
engage with me right now, because I have got a lot of other ques- 
tions to try to get to, but I will, with questions on the record, be 
engaging with you. 

For the next question. Chair White, I would like to turn to you. 
I understand that FSOC is evaluating whether and how to consider 
asset management firms for designation as SIFIs. As a part of that 
evaluation process, the FSOC asked the Office of Financial Re- 
search to draft a study of the asset management industry, and un- 
fortunately, the OFR report failed to fully take into account the 
perspectives of and the data from the SEC and market partici- 
pants, as I see it. The asset management industry is squarely with- 
in the SEC’s jurisdiction and core expertise. 
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What additional work and data gathering do you believe should 
be done to further understand the asset management industry and 
to achieve the right result in this context? 

Ms. White. I should say, I guess, at the outset, the SEC is very 
actively working in the FSOC setting with our fellow agencies in 
following up on concentrating exactly on those issues. We provided 
technical assistance to OFR before that study was completed, com- 
mented extensively, some of those comments taken, some of those 
not, as is usual, but agreed to disagree on a number of things. So, 
I think it is very important that we have complete data, complete 
expertise applied to all these issues and focus on what differences 
there are in terms of asset managers, which are obviously based on 
an agency model, business model. But, I think that discussion is 
going on. 

Senator Crapo. Thank you very much. 

And one more question. This goes to both Chairman White and 
Chairman Wetjen. I have a lot more questions, but this will be the 
last one I get to get at here, and that is that over the last year, 
I have repeatedly expressed my view that the SEC and the CFTC, 
to move in a more coordinated way with regard to Dodd-Frank im- 
plementation and cross-border initiatives for derivatives. Some 
argue that the CFTC’s implementation is largely complete, while 
the SEC has a fair amount of work left to be done. 

As the landscape for Title VII continues to develop, what are the 
concrete steps that your agencies are taking to ensure coordination 
from both rulemaking and compliance perspectives? 

Ms. White. Let me just, I guess, take that first, which is that, 
A, we are prioritizing the completion of our rules in 2014 for Title 
VII. Our staffs are in pretty much constant contact about imple- 
mentation issues. We are also actually looking at the possibility of 
accelerating on some issues that do not require full rulemaking, 
and we are also engaged at the principal level, which I think is 
very important, as well. 

Senator Crapo. Thank you. 

Mr. Wetjen. 

Mr. Wetjen. Thanks, Senator Crapo. I agree with Chair White. 
It is a priority for our agency to coordinate closely with the SEC. 
At a personal level, I have been involved in that since joining the 
agency. Of course, as you alluded to, our cross-border guidance is 
currently in place, but there are still some issues that continue to 
arise related to it and we continue to consult with the SEC as 
those arise. 

And to give you a specific example, there is some interest in 
some subsequent staff advisories concerning our guidance. We are 
hosting a Global Markets Advisory Committee meeting at the Com- 
mission next week and the SEC will be participating in that meet- 
ing, as well as some foreign regulators from both the FCA in the 
United Kingdom and the European Commission in Brussels. So, we 
will have regulators from around the globe, including the SEC, pro- 
viding their input, all in an effort to, as you say, coordinate as best 
we can. 

Senator Crapo. Thank you. 
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I have a number of additional questions, but I will submit those 
for the record, Mr. Chairman, and I look forward to working with 
the witnesses here on those. Thank you. 

Chairman JOHNSON. Senator Menendez. 

Senator Menendez. Thank you, Mr. Chairman, and thank you 
for adding data security to today’s topics. 

I would like to ask those who I understand are most involved in 
this, but anyone who feels that they have a role, as well. Governor 
Tarullo and Chairman Gruenberg and Comptroller Curry, and ex- 
actly what roles are your agencies playing as it relates to data se- 
curity standards that in my understanding are largely set by the 
industry? I get the sense that your role is generally outlining gen- 
eral principles and leaving the private sector to fill in the details, 
or maybe if I am wrong, I would be interested in what you are 
doing beyond that. 

This past Monday, we had a Subcommittee hearing that Senator 
Warner held with the retailers, the banks, the card industry, con- 
sumer advocates, and what not, and I am wondering, should we not 
be establishing a Federal standard, one that does not lock in a spe- 
cific technology, because that can be eclipsed in time, but one that 
certainly looks at the question of a regulatory standard based on 
performance. For example, could we not say that at some point, it 
has to be considered an unreasonable security risk for a company 
not to be using, for example, chip and PIN technology, or some- 
thing that performs equivalently, if that is the highest standard 
that exists in the marketplace at a given time, so that at least com- 
panies would understand what that standard is that they are being 
held accountable to and we could respond accordingly with the FTC 
or others as it relates to violating that standard on behalf of con- 
sumers. 

Mr. Curry. Senator, I think the basic framework is in place for 
the financial institutions regulated by the banking agencies. We 
have standards for information security. We have an ongoing over- 
sight program in terms of examining the individual institutions 
under our jurisdiction. And we also supervise certain institution-af- 
filiated parties, independent service organizations. The agencies, 
the OCC, in particular, has also set out detailed expectations with 
respect to third-party vendors that are used by those service pro- 
viders. 

Senator Menendez. Do those standards serve us well in the data 
breaches in Target and Neiman Marcus and others? 

Mr. Curry. Well, in that particular instance, the breaches did 
not occur at the bank end, and I think what you pointed out cor- 
rectly is there are different standards between different players 
within the system. The banking industry does have basic standards 
in place that are not necessarily existing in the merchant or retail 
space, so that in order to provide a consumer with the same breach 
notification rights, it may be necessary to impose legal or other re- 
quirements on retailers or merchants, and that is the situation. 

Senator Menendez. Governor Tarullo. 

Mr. Tarullo. Senator, let me supplement a bit. I agree with 
Comptroller Curry, obviously, about the mechanisms the three 
banking regulators have put in place. But, I think your question 
gets to a broader issue, and I agree with what I think is the 
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premise of your question, which is we cannot look at just the banks 
right now. I think we need to think in terms of a consumer who 
uses a credit card, and at that point, her information starts on a 
trail which may go through a retailer and a processor and one or 
more banks before the final payment is eventually made. And I 
think right now, we do not have any mechanism for taking that 
view of what I would characterize as a very extended payment sys- 
tem and making sure that the kind of standards which would as- 
sure protections at each step of the way are actually realized. As 
I said in my introductory remarks, the weakest link in the chain 
is where the attention is going to be directed by criminals or oth- 
ers. 

You know, there are a lot of people doing a lot of work through- 
out the U.S. Government on this 

Senator Menendez. So 

Mr. Tarullo. ^but I think you are going to need some more 

general standards. Let me just give you one example, which is sort 
of helpful. I think we probably need some uniform requirements on 
disclosure when breaches have actually taken place. You know, the 
three banking agencies require remediation, particular remediation 
efforts and notification and the like, but that is not true generally. 
And until the banks and customers are assured that they know 
whenever anything has happened with their data, it is going to be 
hard for people to respond. 

Senator Menendez. Well, we look forward to your work on what 
I think should be a standard that we can — across the universe of 
those who ultimately hold consumer information. 

If I may, one final question, Mr. Chairman. 

Chairman JOHNSON. Yes. 

Senator Menendez. Again, to the three of you, we have seen re- 
ports in the press of regulated financial institutions purchasing 
credit protection, often using credit default swaps, from unregu- 
lated entities like hedge funds or entities formed offshore to avoid 
regulation in order to reduce the amount of capital that they need 
to hold an investment on the book. And, in fact, these trades are 
transferring risk from a regulated entity, institution, that are sub- 
ject to capital requirements, to unregulated entities that are not 
subject to capital requirements. And instead of raising equity to 
pay for an investment, the bank is taking an exposure to an entity 
that may or may not be able to pay up if the investment goes bad. 
And if that story sounds familiar, it is because it is very strikingly 
similar to what we saw happen with AIG before the financial crisis. 

So, the question is, when a regulated financial institution pur- 
chases credit protection, can you describe how you take into ac- 
count counterparty credit risk when determining how much credit 
the financial institution gets toward its capital calculations and 
what is required of banks to monitor their counterparties’ ability 
to perform on a trade, because otherwise, I just see us, as we are 
talking about financial security here and stability and systemic 
risk, we are almost back in this element to the same type of risk 
possibility that we were before Dodd-Frank. 

Mr. Curry. Senator, we share your concerns from a supervisory 
standpoint on the risks from credit transfer transactions, as you 
have described them. So, as a result, it is something that we scruti- 
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nize carefully from an examination standpoint at the OCC. Our po- 
sition is that we are looking to see that it is actually a true trans- 
fer, and if it is not, we will not accord it the more favorable capital 
treatment. 

Senator Menendez. Chairman. 

Mr. Gruenberg. Senator, I would just comment. We have not 
approved requests for these kind of arrangements for our super- 
vised institutions, and I would note that under the leverage ratio, 
firms would not receive any capital benefits from these kinds of 
interactions, which underscores the value of the strong leverage 
ratio requirement, as well. 

Senator Menendez. Well, we look forward to your continuing 
work in that regard. 

Thank you, Mr. Chairman. 

Chairman JOHNSON. Senator Brown. 

Senator Brown. Thank you, Mr. Chairman. 

Governor Tarullo said in his testimony that, quote, “work re- 
mains to be done to address the problems of too-big-to-fail and sys- 
temic risk.” I would like to ask each of you to give me a simple yes 
or no, starting with you, Ms. Miller, if you believe that too-big-to- 
fail — if you agree with Governor Tarullo, that we have not ended 
too-big-to-fail. A simple yes or no, if each of you would do that. Ms. 
Miller. 

Ms. Miller. I do not think we have ended the perception of too- 
big-to-fail, but I think we have gone a long way to ending too-big- 
to-fail with the regulations. 

Senator Brown. Governor Tarullo, I assume you agree with Gov- 
ernor Tarullo’s statement. 

Mr. Tarullo. [Nodding head.] 

Senator Brown. OK. 

[Laughter.] 

Senator Brown. Mr. Gruenberg. 

Mr. Gruenberg. Yes, I agree. 

Senator Brown. I am sorry? 

Mr. Gruenberg. Yes, I agree with the question that you raised. 

Senator Brown. OK. Mr. Curry. 

Mr. Curry. Yes, I also agree. Thank you. 

Senator Brown. We have not ended it. OK. Ms. White. 

Ms. White. Too soon to tell. I agree. 

Senator Brown. Mr. Wetjen. 

Mr. Wetjen. I also agree with Under Secretary Miller’s com- 
ments. 

Senator Brown. OK. If too-big-to-fail is not over, and most of you 
agree with that — some of you, I am not sure on either end where 
you sit exactly — I want to ask about two ways to address it. One 
is living wills. Yesterday, Chairman Gruenberg and Governor 
Tarullo answered Representative McHenry, you are willing to say 
living wills are deficient as you evaluate the second round sub- 
mitted by the biggest banks. Both Ms. Miller and Chairman 
Gruenberg note that bankruptcy is the standard against living 
wills are supposed to be measured. I doubt that all of the largest 
banks, those with more than — those 8 to 10 banks that are $250 
billion up in assets — I doubt that those largest banks can be re- 
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solved through an orderly process, so it is clear we all have work 
to do. 

The other issue of the other of the two ways to address too-hig- 
to-fail is the supplemental leverage ratio. I was encouraged a num- 
ber of months ago when OCC, FDIC, and the Fed proposed their 
supplemental leverage ratio requiring the largest insured banks 
and bank holding companies to have the ability to produce tens of 
billions of dollars, to have initial tens of billions of dollars in capital 
to protect against failure. Governor Tarullo notes that the Basel 
Committee’s revisions for measuring bank assets under Basel III 
leverage ratios will be incorporated into your proposed leverage 
ratio. 

So, my question is about how soon and how we do this. For Gov- 
ernor Tarullo and Comptroller Curry and Chairman Gruenberg, 
how do you do this? Will the United States finalize its supple- 
mental leverage ratio first and then revise the asset definitions 
once Basel has completed its process, or will you wait until there 
is an international standard in finance, an international standard 
to finalize the leverage ratio? In other words, are we going to move 
first or are we going to continue to wait? Ms. Miller. 

Ms. Miller. I think I would actually prefer to defer to the regu- 
lators to talk about the work that they are doing in this particular 
area because I think it is really their charge to adopt these stand- 
ards and put them into 

Senator Brown. There is no Treasury recommendation here? 

Ms. Miller. No, we certainly support the proposals on supple- 
mental leverage ratio and making sure that we have a very effec- 
tive regime here in terms of 

Senator Brown. But you do not have a position on the timing of 
these rules? 

Ms. Miller. The only thing that I think we have been clear 
about is we want to make sure that we are coordinating well with 
our international counterparts. So, for example, some of the meet- 
ings that took place in January were quite helpful, I think, in ar- 
ticulating common standards. So, I think we would like to make 
sure we are moving in concert with our international partners, but 
we would like to see these things done as quickly as possible 

Senator Brown. I hope that “in concert” and “working with” does 
not imply an abdication of leadership and we will not go first. But, 
the three regulators. I think Ms. Miller is right. Governor Tarullo, 
if you would go first. 

Mr. Tarullo. I think the redefinition of the denominator, which 
was basically what the international work was about, is essentially 
done. I mean, we know where they have come out. The question 
that remains is what is the required minimum ratio going to be 
given that work. And as I think you know, because you alluded to 
the proposed regulation, it is the intention of the three bank regu- 
latory agencies to have a higher minimum ratio than that that pre- 
vails in the international forum right now. 

So, what we have been able to do is to move toward a point 
where we have got our definitions harmonized, but we will inde- 
pendently put in a higher leverage ratio than the international 
standard. And as I said in my opening remarks, for us, that is one 
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of the three regulatory initiatives that is the top priority in the 
near term. 

Senator Brown. Chairman Gruenberg, timing and action and 
what are you going to do. 

Mr. Gruenberg. Yeah. I think — I am hopeful we can move for- 
ward quickly to finalize the supplementary leverage ratio proposal, 
and we will need to also act to incorporate the changes to the de- 
nominator, as Governor Tarullo indicated, that were finalized by 
the Basel 

Senator Brown. And that means we are going to move first? 

Mr. Gruenberg. Yes, I believe so. 

Senator Brown. Comptroller Curry. 

Mr. Curry. Yes. I think Chairman Gruenberg described the proc- 
ess. My own view of what should happen is that we should adopt 
both provisions, the final version of the NPR and the supplemental 
leverage ratio, and also adopt the — consider adopting the changes 
in the denominator coming out of the Basel Committee and do that 
as quickly as possible. It is a real high priority for me and the 
OCC. 

Senator Brown. Good. Last July, in response to my question. 
Chairman Bernanke told this Committee that he believes the 
United States has a leadership position and other countries are 
likely to follow our example. You can cite — he did not, but you can 
cite a number of issues. The EU just proposed its own version of 
the Volcker Rule. It is important we lead, and I urge all of you in 
positions to do this to move quickly and decisively. 

Thank you, Mr. Chairman. 

Chairman JOHNSON. Senator Shelby. 

Senator Shelby. Thank you. 

Governor Tarullo, we have been talking about — I was gone a few 
minutes, but the Senator from Ohio was talking about, I think, the 
Volcker Rule and the implementation, at least that is what I got. 
Let us go back just a minute. How will the Volcker Rule when it 
is fully implemented differ from what we had under Glass- 
Steagall? 

Mr. Tarullo. So, under Glass-Steagall, Senator, there could not 
be an affiliation, that is, a corporate affiliation, between a commer- 
cial bank, an insured depository institution, on the one hand, and, 
for example, a broker-dealer trading generally, doing underwriting 
of equities and trading in equities and 

Senator Shelby. Separation of commercial banking from invest- 
ment banking? 

Mr. Tarullo. Exactly. That is sort of the distilled version of 
what Glass-Steagall was. 

Senator Shelby. OK. 

Mr. Tarullo. The Volcker Rule prohibits the proprietary trading 
activity within any part of a bank holding company 

Senator Shelby. We understand that. 

Mr. Tarullo. but it does not require that there be a separa- 
tion between investment banking and 

Senator Shelby. They can still trade from their customers, can 
they not? 

Mr. Tarullo. Correct. Full agents 
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Senator Shelby. But they could not trade proprietary for them- 
selves. 

Mr. Tarullo. That is correct. 

Senator Shelby. And risk — the idea was to risk capital to the 
bank, right? 

Mr. Tarullo. That it is kind of a moral hazard 

Senator Shelby. And ultimately to the taxpayers. 

Mr. Tarullo. It is a moral hazard motivation, exactly. Senator. 
Senator Shelby. OK. What can, say, a commercial bank do now, 
including the Volcker Rule, what can they do that they could not 

do before Glass-Steagall was 

Mr. Tarullo. Oh, what can the commercial bank do 

Senator Shelby. Yes. What can they do that they could not 

Mr. Tarullo. So 

Senator Shelby. including the restrictions put on them by 

proprietary trading by the Volcker Rule. 

Mr. Tarullo. Right. There was a parallel movement over the 
time the Glass-Steagall was in effect whereby banks got more pow- 
ers. They were allowed to do things that they had not been allowed 
to do in 1933. Neither Glass-Steagall nor Gramm-Leach-Bliley real- 
ly changed that so much. So, I do not actually think that either 
Gramm-Leach-Bliley or the Volcker Rule has basically changed 
what national banks can do, and Comptroller Curry may want to 

weigh in on this. All it has done is put a constraint on 

Senator Shelby. And you emphasized national banks, did you? 

Mr. Tarullo. No, it would — well, so no 

Senator Shelby. Or all banks? 

Mr. Tarullo. under the FDI Act 

Senator Shelby. OK. 

Mr. Tarullo. no bank can do — no insured depository institu- 

tion — 

Senator Shelby. Right. 

Mr. Tarullo. can do as principal anything that a national 

bank 

Senator Shelby. Right. Right. On the European banks that do 
business in this country, and a lot of them do, the big ones, they, 
as I understand it, will come under the Volcker Rule, too, here. 

Mr. Tarullo. Here in the United States, yes, sir. 

Senator Shelby. Now, how is that coming along? 

Mr. Tarullo. Well, of course 

Senator Shelby. Because in Europe, they have got a different 
deal, have they not? 

Mr. Tarullo. That is right. We are just 

Senator Shelby. Like, if it was a Deutsche Bank, an HSBC, the 
Volcker Rule in the European Union there does not apply to them, 
but it would apply to them doing business in the United States. 

Mr. Tarullo. That is right. The rules enacted by the five agen- 
cies would apply to any banking organizations within the United 
States, and so they would apply. There is, as you know, an excep- 
tion in the Volcker Rule for activity done solely outside the United 
States by a foreign bank, and so there are standards for meeting 
that. As you suggest, the European Union is now thinking about 
their own version of the Volcker Rule, but that is a proposal at this 
juncture, so we do not know exactly how it would line up. 
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Senator Shelby. I know all of you watch what is going on in Eu- 
rope, and you should. They have a number of so-called stress tests 
coming up. How do those stress tests compare to the stress tests 
that you folks put our banks through? We have always thought and 
heard and read that they are not as stringent or strict. 

Mr. Tarullo. Well, as you can tell, we have paid a lot of atten- 
tion to our stress tests in the United States and we try to improve 
them every year. I think what you are seeing in Europe now is a 
somewhat different approach to the stress testing exercise, and im- 
portantly, it is now being done at the European Central Bank, and 
the European Central Bank is doing it as the soon-to-be umbrella 
supervisor for all the large banks in Europe. They have the capac- 
ity to do scenarios the way we do, and so I think we are going to 
see a somewhat different approach. 

They do have a big task, though. You know, we do about 30 of 
our institutions and they have got over 100 that they have to cover. 
So, it is a big task and it is going to take them about a year to 
do it. But I think here, as in many other areas, we are starting to 
converge more on practice. 

Senator Shelby. I will direct — this is my last question — to both 
you and the Chairman, Marty, of FDIC. Today, 2014, how do you 
feel about the capitalization of our banking system overall? First, 
Marty, I will ask you, and then — that is very important. And how 
far has it come, and is it where you want it or are you going — they 
are going to have to jump through some more hoops? 

Mr. Gruenberg. I would say. Senator, we are getting there. 

Senator Shelby. Mm-hmm. 

Mr. Gruenberg. We have made real improvements. 

Senator Shelby. Absolutely. 

Mr. Gruenberg. I think, it is fair to say as a general proposition 
over these last 4 years since the crisis, our banks across the board, 
from large to small, have significantly rebuilt their balance sheets 
and are in a stronger capital position today. I also think, and Gov- 
ernor Tarullo certainly will comment on this, that we are moving, 
in particular, to strengthen the capital requirements for our larg- 
est, most systemically significant institutions. That is still a work 
in progress, but I think we are moving in the right direction. 

Senator Shelby. Governor. 

Mr. Tarullo. Senator, with respect to the smaller banks, which 
I would say is all but the biggest 30, the expectations that we have 
with respect to the new capital rules, I think those are all now in 
place and most banks already meet those, and those that are not, 
do not, I think will be coming up to do so. 

As Chairman Gruenberg mentioned, we are still focused on the 
largest institutions, and it will not surprise you to hear me say 
that I am particularly focused on institutions that have a heavy re- 
liance on short-term wholesale funding. And I believe that we need 
to think in terms of potentially more capital at the very largest in- 
stitutions which have that vulnerability to runs from short-term 
wholesale funding. 

The second thing I would say is, what the stress tests do is give 
us a dynamic capital measure as opposed to a static one. We ^ve 
a scenario. We project forward what losses will be rather than just 
rely on backward-looking measures. And the continued improve- 
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ments on that, the rigor in the scenario, the taking into account 
new things like interest rate shocks are a way to assure that, re- 
gardless of the capital ratios required on the books, that we do 
have the kind of resiliency in the system which we have all been 
striving for. 

Senator Shelby. What about flexibility of capital? How impor- 
tant is that? You can have the capital, but you have got to be able 
to use it at stressful times, have you not? 

Mr. Tarullo. That is correct. Senator, and that is why the em- 
phasis that all three of us have had on common equity, which is 
the most loss absorbent form of capital. You know, over the years — 
we should just call it as it was — there were some games played 
with the kind of things that could qualify as capital. 

Senator Shelby. Sure. 

Mr. Tarullo. I think we saw in the crisis that when stress hits, 
the markets will see right through those sorts of things, and that 
is why common equity needs to be at the center of our calculation. 

Senator Shelby. But you ought to be able to see through it first, 
as a regulator, right? 

Mr. Tarullo. That is correct. Senator. 

Senator Shelby. Thank you. Thank you, Mr. Chairman. 

Chairman JOHNSON. Senator Warren. 

Senator Warren. Thank you, Mr. Chairman. 

All of our regulators have conceded that our largest banks are 
still too-big-to-fail. Perhaps this is a time to note that a 21st cen- 
tury Glass-Steagall would reduce both the size of the financial in- 
stitutions, so there would not be so many that are too big, and re- 
duce the risk by separating their banking activities and help us 
bring too-big-to-fail under control. I do not think we should be wait- 
ing longer to do this. 

But, I also want to talk about another part while we have got 
you here, and that is in 2013 alone, J.P. Morgan spent nearly $17 
billion to settle claims with the Federal Government, claims relat- 
ing to its sale of fraudulent mortgage-backed securities, its illegal 
foreclosure practices, like robo-signing, its manipulation of energy 
markets in California and the Midwest, and its handling of the dis- 
astrous London Whale trade. And at the end of the year, J.P. Mor- 
gan gave its CEO, Jamie Dimon, a 75 percent raise, bringing his 
total compensation to $20 million. 

Now, you might think that presiding over activities that resulted 
in $17 billion in payouts for illegal conduct would hurt your case 
for a fat pay bump, but according to the New York Times, members 
of the J.P. Morgan Board of Directors thought that Jamie Dimon 
earned the raise, in part, and I am quoting here, “by acting as chief 
negotiator as J.P. Morgan worked out a string of banner govern- 
ment settlements.” I think this raises questions about whether our 
enforcement strategy is working or whether it is actually so bad 
that we are making it more likely for big banks to break the law. 

Neil Weinberg, the Editor-in-Chief of the American Banker mag- 
azine, said that in the current environment, quote, “Bank execu- 
tives would be crazy to hold back. If they get caught, they can pay 
their way out of the problem with shareholders’ money. And if their 
misdeeds pay off as expected, the profits will goose their pay.” I 
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will add, even if they do get caught, the executives might still get 
a raise. 

So, here is my question. Does anyone on this panel seriously 
think that the Government’s current enforcement system for finan- 
cial crimes is actually working in the sense of deterring future law 
breaking? Anyone? 

Mr. Tarullo. Well, I think we are going to have to wait and see. 
Senator, as to whether the magnitude of those fines will, in fact, 
have a deterrent effect going forward. As you noted, any dollar paid 
in compensation to any employee comes out of the capital available 
for distribution to shareholders. 

Senator Warren. I am not quite sure I am following the last 
point, though. Governor Tarullo. Jamie Dimon got a raise after he 
negotiated $17 billion to pay off for activities that were illegal that 
he presided over. So, I am not quite sure how this is a deterrent 
for other CEOs. 

Mr. Tarullo. Again, I am not going to comment on the specifics 
of that case other than to make the point that I do not know 
whether it is going to be a deterrent. I can say from our point of 
view, we are concerned with the healthy capitalization of the firm 
and the question in making sure that no payment of executive com- 
pensation or distribution to shareholders threatens that. The issue 
is between the shareholders and the executive, as long as it does 
not run afoul of those kind of safety and soundness considerations, 
that is not something that we get directly involved in. I do not 
know if you are asking whether you think the fines need to be even 
larger. 

Senator Warren. So, no, the question I am asking is whether or 
not there is adequate deterrence to prevent the largest financial in- 
stitutions in this country from breaking the law, and I am just 
reading what evidence we have to go on right now. 

You know, in the criminal system, we try to defer future mis- 
conduct by sending people to jail. In the civil system, we try to 
deter future conduct, bad conduct, by having treble damages and 
other things that will be sufficient deterrents. But right now, if fi- 
nancial institutions can just settle their claims out of court and get 
a raise for settling them, then where is the deterrent? That is the 
part I am having trouble understanding. Anyone? 

Mr. Wetjen. Senator, I will make one observation in the context 
of the LIBOR settlements that the CFTC has engaged in. It has 
been brought to the attention of the agency that a lot of modifica- 
tions of behavior have resulted in the wake of those settlements 
and in the wake of those enforcement actions, which collected more 
than a billion dollars for the taxpayer. I am not suggesting that 
there might not be other ways to enhance our enforcement program 
or the enforcement program of other regulatory agencies, but there 
does seem to be some modification of behavior that is very, very 
positive for the markets. 

Senator Warren. Well, I am glad to see there is some modifica- 
tion of behavior, but we have to worry about this. You know, I 
want to say, I thought that SEC Chairwoman Mary Jo White took 
the right step when she changed the SEC’s “no admit, no deny 
rule” so that there was at least less room for financial institutions. 
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I guess we can stop this now, but I think the public has little 
confidence in regulators’ willingness to seek the kind of penalties 
that will actually deter future financial crimes, and I do not blame 
them. I know that many of your agencies have been starved for the 
financial resources that you need to be aggressive in your enforce- 
ment actions. 

I know it is tough to go up against a big financial institution that 
seems to have unlimited resources. But Jamie Dimon himself said 
on CNBC a couple of weeks ago that J.P. Morgan could never af- 
ford a public trial. He said — I am quoting here — “Banks have a 
very tough time doing that. That would have been criminal for me 
to subject our company to.” If Jamie Dimon sees that he could not 
go to trial and it is totally up to him, this should enhance your le- 
verage. 

It tells me that if regulators are even slightly willing to take a 
large financial institution to trial, that will have an impact on fu- 
ture behavior of these financial institutions and on the meaningful- 
ness of any settlement. Until that time comes, I am not confident 
that our enforcement system is doing nearly enough to protect the 
public from financial crimes. 

Thank you, Mr. Chairman. 

Chairman Johnson. Senator Menendez, and then Senator Shel- 
by to wrap it up. 

Senator Menendez. Thank you, Mr. Chairman. I appreciate the 
opportunity again. 

I understand totally what Senator Warren is raising, and the 
question of the terms — I just want to go back to the three wit- 
nesses that I was talking to — data breach again, because it is the 
same concern about making sure that there is a deterrence. When 
you look at a financial institution’s data security measures, to what 
extent are you evaluating based on risk of harm to the financial in- 
stitution versus risk of harm to the consumer? 

Mr. Curry. Senator, I think it is both. In terms of the risk to 
the system, that is part of the examination and supervision that we 
do. I mean, it is critically important that the financial plumbing 
works, so that is one of our focuses. We are enforcing, basically, 
consumer protection laws with respect to notification, assistance if 
there are breaches and making sure that controls and systems are 
in place to prevent future incidences. So, I would say it is both. The 
focus is to protect the consumer as well as to protect the system 
itself 

Senator Menendez. Mm-hmm. Do any of you have a comment? 

Ms. White. I could just add. Senator Menendez, I think that is 
why enforcement and examination is so important in this space, 
too, in order to make sure that you at least are bringing to bear 
maximum deterrence. It is really for the benefit of the client or the 
customer where you have the authority to act, even though your ju- 
risdiction is over the entity. 

Senator Menendez. Chairman, do you 

Mr. Gruenberg. Senator, I agree with the points that have been 
made. It both goes to the financial institution and to the customer. 
I think the authorities in this area are strong for the financial in- 
stitution. One area that may be worth some review is the Bank 
Service Company Act, which was enacted in 1961. It goes to the 
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third-party service providers, which have become a more important 
factor in this whole system and may be worth some attention. I 
think the gap here is for the nonbanking sector that needs focus 
and attention. 

Senator Menendez. Well, at the hearing the other day, we had 
the banks, the retailers, and the card companies, and it was inter- 
esting to see the bankers and the retailers pointing to each other 
as the ones who should be requiring greater liability consequences. 
The only problem with that is they are going like this. The con- 
sumer is in the middle and not being protected. So, going back to 
the Governor’s comments, I really do believe we need to create a 
standard that has a common thread across all of this universe to 
protect the consumer at the end of the day. 

Finally, on a different topic. Under Secretary Miller, I recently 
asked Treasury nominee Sarah Bloom Raskin in her confirmation 
hearing about the tasks that financial regulators set in setting cap- 
ital requirements for new types of companies under the Wall Street 
Reform legislation. And as I asked her in her hearing, I said, I sup- 
port strong capital requirements and believe they are an important 
component for both safety and soundness and systemic risk regula- 
tion, but I have heard concerns from, for example, insurance com- 
panies about regulators applying bank-specific capital requirements 
to them, despite the fact that many insurance companies have very 
different business models, balance sheets, and risk profiles from 
banks. 

And in her hearing, Ms. Bloom Raskin agreed that capital stand- 
ards for insurance companies have to be properly tailored, saying 
a one-size-fits-all is not going to work, and recognizing that they 
have a very different set of asset liability structures than banks do. 
Do you agree with her statement, and what is Treasury doing in 
its role on the Financial Stability Oversight Council to ensure that 
we do not mistakenly take a one-size-fits-all approach, that we use 
the right tool for the right circumstances? 

Ms. Miller. Thank you. Senator Menendez. I am not sure I can 
add a lot to what Governor Raskin elucidated in her response to 
you before, but I would say, at the FSOC, in the process of desig- 
nating nonbank financial institutions, a lot of attention has been 
paid to the business models. A lot of attention has been paid to the 
fact that you cannot have that one-size-fits-all approach to capital. 
I think that the Federal Reserve is charged with the appropriate 
calibration of rulemaking to these institutions, and I think that we 
have given them all the support we can to make sure that we get 
this right. 

Senator Menendez. Yes, but you have a role at FSOC. 

Do you want to comment. Governor? I know this is an area 
where 

Mr. Tarullo. Yes. Thank you. Senator. We share your view that 
the liability structure on the financial institution affects the 
amount of capital it needs. It does not affect how risky a particular 
asset is. It does not matter who holds it. An asset is an asset. But 
the liability structure does affect how much capital is needed. 

Both with respect to the savings and loan holding companies, 
which are owned in some cases by insurance companies, and with 
respect to any institutions designated by FSOC as systemically im- 
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portant, including AIG and Prudential, we are trying to tailor, as 
best we can, the capital requirements to take account of. A, the 
particular products that insurance companies offer that banks do 
not, and, B, the different business model. 

A is pretty straightforward. Sometimes, it is technically complex, 
but conceptually, it is pretty straightforward and we are in the 
process of doing that. It is a little harder to do with B, in some 
cases, because of the Collins Amendment, which does place a bank- 
generated floor under capital requirements for all institutions. 

So, we are continuing to work as best we can. That is one of the 
reasons we delayed the capital requirements for S&L holding com- 
panies, because we want to take as much time as we can to use 
the authority we do have to tailor these provisions as best we can. 

Senator Menendez. Well, we look forward to hopefully getting it 
right, because it is going to make a big difference in terms of the 
consequences to not only insurance companies, but that as a prod- 
uct for Americans to be able to create both security for themselves 
and time and opportunity. 

So, thank you, Mr. Chairman. 

Chairman JOHNSON. Senator Shelby. 

Senator Shelby. Yes. I would like to direct this, first, to Chair- 
man White. It seems in recent months that the SEC has become 
a lot more aggressive on its enforcement, which I think is more 
than welcome in this country. Of course, you bring unique quali- 
fications as a former U.S. Attorney to the SEC. What has bothered 
a lot of people in this country for a long time, that when you en- 
force something and people pay huge fines — huge — and they do it 
without admitting any wrongdoing, either criminal or civil, you 
know, sometimes. And sometimes, I know, you punish people by 
fines. We understand that. It hurts. 

But sometimes it seems to me that people, if they are guilty of 
wrongdoing, criminal or civil, that that should be part of the deal 
in your law enforcement, because at the beginning of the day and 
end of the day, the financial system, the banking system, securi- 
ties, everything that goes with it, the integrity of that system is so 
important, not just the perception, but a lot of times reality, too. 

How are you working — I know you set a different tone over there 
yourself, and I commend you for that. How are you working with 
the other regulators in ferreting out wrongdoing 

Ms. White. We work — I am sorry. 

Senator Shelby. jurisdiction, dealing with securities, because 

it overlaps everywhere. 

Ms. White. Yes, it does overlap. We have very close working re- 
lationships, I think, with all of the criminal enforcement agencies 
as well as civil enforcement agencies where there is that overlap- 
ping jurisdiction, because you certainly can get synergies and do 
more. 

As you know. Senator, shortly after I got to the Commission, I 
did change our settlement protocol to, in appropriate cases — I could 
talk about parameters, but in certain cases where I think public ac- 
countability is particularly important, that we will require admis- 
sions, because it does give that public accountability, particularly 
in cases of egregious conduct, that I think the public deserves and. 
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frankly, is important to the credibility of law enforcement and de- 
terrence. I think 

Senator Shelby. And for the justice system of America. 

Ms. White. Yes, and for the justice system, and I come from 
that 

Senator Shelby. Because if the perception is, if you are so rich 
and you are so powerful that you can get by with this and that, 
that undermines everything, does it not? 

Ms. White. I think that it certainly can do that, without ques- 
tion. 

Senator Shelby. Mm-hmm. 

Ms. White. We still, in many cases, and I think wisely so, do fol- 
low the “no admit, no deny” protocol to settle cases. It results in 
returning monies to harmed shareholders more quickly. It does 
eliminate litigation risk. But at the same time, we have to be cog- 
nizant of, I think, in all cases, frankly, is this one where there will 
be no settlement unless there is that admission of wrongdoing. 

Senator Shelby. OK. Thank you very much. 

Chairman JOHNSON. Senator Schumer. 

Senator Schumer. Thank you. Thank you, Mr. Chairman. I 
thank the witnesses. 

My first question is for Governor Tarullo. It is a general ques- 
tion. It a little bit relates to what Senator Menendez was saying. 

Now, I know we have Collins and the $15 billion and the Volcker 
Rule, and I know how that passed at the last minute and all of 
that. But, it is a more general problem, and that is there all too 
often, both here and in the regulatory world, sort of a cutoff that 
is a numerical number, even when it does not apply to the Collins 
rule. 

And what I am finding is there are a good number of banks that 
are fairly large but are pretty much plain vanilla banks, and this 
is, in general, how they are regulated. In other words, they are not 
the huge banks in New York City that do all kinds — they are in- 
vestment banks as well as regular banks, and having high capital 
requirements and making sure the mistakes of 2007 and 2008 are 
not repeated, making sure the Volcker Rule applies and all of that, 
I have no problem with. 

But, oftentimes, it is also applied to banks that might have $30, 
$40, $50 billion in assets but are plain vanilla banks. They do not 
do all of the investment banking activities, the trading activities 
that the largest banks do, and yet they seem regulatorily often to 
be lumped in with them And some of these institutions are in Up- 
state New York and they are really good for the economy. They are 
doing lending to businesses, small business lending, just what a 
traditional bank was. 

And I was just wondering, do you think that, too often, the regu- 
lators and even the rulemaking process — look, we just had it here. 
Senator Merkley had an amendment on conflict of interest in flood 
insurance, if the bank — banks below $15 billion were exempt. Well, 
conflict of interest could occur in a small community bank just as 
easily in the largest bank in the country. There was no reason to 
exempt all the community banks from this or to treat them dif- 
ferently than the larger banks. 
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So, my question is, how is the Fed and how are the regulators, 
since you are the hank regulation guy, differentiating and not 
treating larger hanks who are plain vanilla banks and do the same 
types of activities as smaller banks like the ones that do the much 
riskier types of activities? I am hearing this complaint constantly, 
not just from New York, but from around the country. 

Mr. Tarullo. So, I think a couple of things. Senator. One, as you 
know. Section 165 of the Dodd-Frank Act put into law the propo- 
sition that with the increasing size and complexity of banks, there 
should be increasingly stringent regulation. It sounds simple, but 
that has not always been a precept of financial regulation, and I 
think it is quite central to what we should be trying to do. 

A second point which builds on that is at the Fed, we have cre- 
ated a special mechanism, including the Large Institution Super- 
vision Coordinating Committee — for the very largest, most complex 
banks, and many of the regulations which we talked about earlier 
in the hearing — I know you were not present for it, but many of 
the regulations we are proposing to do now, some of the ones in my 
prepared testimony, we will be applying only to those institutions, 
things like the requirement for a minimum amount of subordinated 
debt, things like the supplementary leverage ratio. 

So, having said that, though, coming to the third point. It is the 
case that as we adapt and make more stringent and more hori- 
zontal and more interdisciplinary our regulation and supervision of 
the very largest institutions, I have noticed there is an uninten- 
tional trickle down effect, which is to say supervisors may look and 
say, gee, you know — they are requiring the biggest banks to do 
this. That must be state-of-the-art supervision. 

And I have tried to impress on people that I think we need to 
develop a state-of-the-art supervision for the largest institutions. 
We need to develop a state-of-the-art supervision for community 
banks and for the regionals and the super-regionals, each of which 
is not a paler or stronger version of the other but is instead cus- 
tomized to those institutions. 

And it is something that I have been thinking about more and 
more over the last year because I keep hearing it, and it is — ^you 
know, we have seen it with stress testing, that we are supposed to 
have different expectations for the different size institutions, and 
I realize that the senior people in our Banking Supervision and 
Regulation Division need to keep making clear they are different 
expectations. So, it is almost a natural instinct of people to say, we 
want the best or the toughest. 

So, I agree with the premise behind your question. You know, my 
perspective on banks that are essentially lending institutions of a 
traditional sort is that strong capital, good examination, and some 
of the traditional activities restrictions are really the core of what 
we need. And some of the other things, if I can put it in cost-benefit 
terms. Senator Crapo, cost more than they are worth 

Senator Schumer. Right. 

Mr. Tarullo. in terms of increased safety. 

Senator Schumer. Good. I am glad to hear that from you. As you 
said, it is size and complexity. None of these institutions will bring 
down the country if, God forbid, they were to fail. So, it is not size 
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alone. It is complexity that ought to he playing a role here. Thank 
you. 

Chairman JOHNSON. I want to thank today’s witnesses for testi- 
fying about oversight of both financial stability and data security. 
Both are incredibly important to today’s economy. 

This hearing is adjourned. 

[Whereupon, at 11:57 a.m., the hearing was adjourned.] 

[Prepared statements and responses to written questions sup- 
plied for the record follow]: 
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Chairman Johnson, Ranking Member Crapo, and Members of the Committee, 
thank you for inviting me to testify today on behalf of the Treasury Department. 

Just over three and a half years ago, Congress passed and President Obama 
signed into law a historic set of reforms to make our financial system stronger and 
more stable. We have made considerable progress toward achieving those objectives 
through implementation of the Dodd-Frank Wall Street Reform and Consumer Pro- 
tection Act, and related reforms. The crisis revealed that regulation and oversight 
failed to keep pace with an evolving financial system, and demonstrated why we 
must always remain vigilant to potential emerging risks in financial institutions 
and markets. 

Most of the foundational reforms laid out in the Dodd-Frank Act have now been 
finalized, and intensive work on the remaining pieces continues. The new Consumer 
Financial Protection Bureau has taken up its mission quickly, acting to strengthen 
consumer protections in the mortgage market; establish Federal supervision over 
large payday lenders and debt collectors for the first time; and provide assistance 
to the elderly and military families who are so often targeted by unscrupulous lend- 
ers. Last year, the bank regulatory agencies finalized key rules stren^hening the 
quality and quantity of capital that banks are required to hold, and proposed new 
rules that will require the largest firms to decrease their leverage. A new framework 
for regulatory oversight of the over-the-counter derivatives market is largely in 
place, for those swap dealers registering with the Commodity Futures Trading Com- 
mission (CFTC) and certain interest-rate and credit-index swap transactions moving 
to central clearinghouses, reducing overall risk to the financial system. Starting this 
month, new classes of swaps transactions will begin to be traded on swap execution 
facilities, bringing much-needed transparency to these markets. 

The United States has moved quickly to put these critical reforms in place, and 
the American people are beginning to feel the benefits of reform through a safer and 
stronger financial system and a broader economic recovery. Although financial mar- 
kets have recovered more quickly than the overall economy, the economic recovery 
is gaining traction. Private sector payrolls have increased by more than 8 million 
jobs from the low point in February 2010, and December marked the 46th consecu- 
tive month of private-sector job growth. The unemployment rate, while still too high 
at 6.7 percent, has fallen to 3.3 percentage points since its October 2009 peak of 
10.0 percent, and almost a full percentage point since my last testimony before this 
Committee. The recovery in the housing market appears to be taking firm hold as 
measured by rising home prices, and a declining number of delinquencies and de- 
faults. 

Although we have made good progress, we must continue our efforts to complete 
the remaining pieces of financial reform and stand ready to identify and respond 
to new threats to financial stability. We must also continue to work with our inter- 
national counterparts to promote strong and consistent global approaches to finan- 
cial regulation and encourage them to move swiftly toward the completion and im- 
plementation of key reforms in their jurisdictions, preventing firms from evading re- 
forms through regulatory arbitrage. 

I would like to update the Committee on several important regulatory develop- 
ments since I appeared before you last July. 

Secretary Lew, in his capacity as Chairperson of the Financial Stability Oversight 
Council, was responsible for coordinating the regulations issued by the five rule- 
making agencies — the Board of Governors of the Federal Reserve System (Federal 
Reserve), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comp- 
troller of the Currency (OCC), the Securities and Exchange Commission (SEC), and 
the CFTC — to implement Section 619 of the Dodd-Frank Act, commonly referred to 
as the Volcker Rule. Starting from his first day in office. Secretary Lew stressed the 
importance of finishing work on the Volcker Rule, and the importance of having a 
single, strong final rule that was true to President Obama’s proposal and the stat- 
ute’s intent. The final rule adopted in December will protect taxpayers and the Fed- 
eral safety net by ending banks’ speculative trading activities for their own benefit 
rather than for the benefit of their customers, and restricting their investment in 
private equity and hedge funds, while preserving banks’ ability to maintain deep, 
liquid financial markets and hedge their risks. The rule’s requirement that the larg- 
est firms’ CEOs attest to the maintenance and enforcement of compliance programs 
will help foster a “tone at the top” for a culture of compliance. The rule also contains 
a tiered compliance regime, to help ensure that smaller banks that do not engage 
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in impermissible proprietary trading or private fund activities do not face unneces- 
sary compliance burdens. 

Our progress in 2013 was not limited to completion of the Volcker Rule. Last sum- 
mer, the Federal Reserve, FDIC, and OCC finalized an important set of rules imple- 
menting the Basel Committee’s risk-based capital standards, which will increase 
both the quantity and quality of capital held by banks and bank holding companies. 
The banking regulators also proposed complementary enhanced leverage standards 
that will act as a backstop to the risk-based capital requirements, and will require 
the largest banks and bank holding companies to reduce their overall leverage. An 
international group of regulators recently made significant progress toward con- 
sistent application of the leverage requirement across different jurisdictions by 
agreeing on a global framework for calculating the leverage ratio. The United States 
continues to lead international efforts to raise regulatory standards around the 
world. 

The Federal Reserve is also poised to issue additional enhanced prudential stand- 
ards that will increase safety and soundness at the largest and most complex banks 
and designated nonbank financial companies. 

The bankruptcy process, aided by the Dodd-Frank Act’s living wills requirement, 
continues to be the primary method for resolving failing financial companies. All of 
the firms that are required to submit living wills have done so, and the largest bank 
holding companies submitted their second round of living wills last fall, providing 
a more refined tool to facilitate their orderly resolution through bankruptcy should 
they fail. 

However, in the case where bankruptcy cannot be relied on to resolve a failing 
financial company without imposing serious adverse effects on U.S. financial sta- 
bility, the Dodd-Frank Act’s orderly liquidation authority provides critical new au- 
thorities so that firms can safely be allowed to fail, no matter how large and com- 
plex. 

In December, the FDIC issued and sought public comment on an important docu- 
ment detailing its strategy for resolving a financial company using its orderly liq- 
uidation authority. The document provides greater detail on the FDIC’s “single 
point-of-entry” strategy that the FDIC developed to implement its authority. The 
single point-of-entry strategy is designed to accomplish the goals of orderly liquida- 
tion by allowing critical operating subsidiaries of a failing firm to remain in busi- 
ness during the resolution, while also preserving market discipline in accordance 
with the law’s requirements — that losses are borne by shareholders and creditors, 
that culpable management are held accountable and removed, and that taxpayers 
bear no losses. International cooperation is critical to ensure workability across bor- 
ders, a topic discussed in more detail below. 

The Financial Stability Oversight Council (Council) remains focused on its author- 
ity to determine that certain large, complex nonbank financial companies whose ma- 
terial financial distress could threaten U.S. financial stability will be subject to more 
stringent prudential standards and oversight. This past summer, the Council des- 
ignated American International Group, Inc. and General Electric Capital Corpora- 
tion, Inc., subjecting them to enhanced prudential standards and consolidated super- 
vision by the Federal Reserve. And, after company management had a formal hear- 
ing with the Council to contest the Council’s proposed designation of the company, 
the Council also finalized its designation of Prudential Financial, Inc. These des- 
ignations are in addition to the eight financial market utilities that the Council des- 
ignated in 2012. 

The Council’s review of nonbank financial companies is an ongoing process, and 
the Council will continue to evaluate other companies for potential designation. 

The progress we have made on instituting a significantly stronger capital regime 
and creating a credible resolution process, and the expansion of the supervisory um- 
brella to cover designated nonbank financial companies, are key developments in 
making the failure of large, complex firms less likely and making our financial sys- 
tem more resilient in the event of such a failure. 

We also continued to make progress on derivatives reform in 2013. The implemen- 
tation of reporting and clearing rules were critical steps forward in improving the 
safety and transparency of the derivatives market. We understand that for deriva- 
tive reforms to work correctly, they must align globally. Last summer, the CFTC 
finalized its guidance with respect to the applicability of the Dodd-Frank Act’s de- 
rivatives reforms to cross-border derivatives transactions and, together with the Eu- 
ropean Commission, announced a “Path Forward,” laying out their joint under- 
standings regarding the regulation of cross-border derivatives transactions. In Sep- 
tember, an international working group, co-chaired by the Federal Reserve and in- 
cluding the SEC and CFTC, finalized margin standards for noncleared derivative 
transactions. U.S. regulators are now working to adopt these standards domesti- 
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cally, and we expect these rules to be finalized this year. In addition, by the end 
of last year, 22 swap execution facilities were registered with the CFTC, and the 
trading volume on those platforms is expected to increase significantly later this 
month when trading in several interest rate and credit derivatives will be required 
to take place on SEFs. 

Treasury’s Federal Insurance Office (FIO) also made significant progress in ful- 
filling its mission in 2013. In December, the FIO released its report on the mod- 
ernization and improvement of the system of insurance regulation in the United 
States. The report made 27 recommendations designed to bring our insurance regu- 
latory system into the 21st century and make it more responsive to the needs of 
consumers, market participants, and host supervisors in a global environment. The 
FIO will also release a report on the reinsurance market, and the President’s Work- 
ing Group on Financial Markets, with input from the FIO, will release its analysis 
of the long-term availability and affordability of terrorism risk insurance this year. 

In addition, the FIO continues its work on the international front to represent 
U.S. interests in the development of international insurance standard-setting and 
financial stability activities. The FIO has worked and will continue to work closely 
and consult with other Federal agencies and with State insurance regulators on 
these efforts. The FIO is involved in the work of the International Association of 
Insurance Supervisors (lAIS) to develop a common supervisory framework, including 
a capital standard, for internationally active insurance groups. 

Treasury and the Financial Stability Oversight Council also remain focused on 
emerging threats that might arise outside, or on the periphery of, the traditional 
banking sector. To that end, the Council is actively analyzing the extent to which 
there are potential threats to U.S. financial stability arising from asset management 
companies or their activities, and whether such threats could be mitigated by Coun- 
cil designations or whether they would be better addressed through other regulatory 
measures. As part of this analysis, the Council requested that the Office of Finan- 
cial Research conduct a study of asset management activities to help determine 
whether these activities could create, transmit, or amplify stress through the finan- 
cial system. The OFR released its study at the end of September following a careful 
analysis that included discussions with a number of market participants and input 
from Council member agencies with relevant expertise. 

The Council’s focus on emerging risks outside the core banking system led it to 
issue, at the end of 2012, proposed recommendations for money market mutual fund 
(MMF) reforms. Throughout this process, the Council has made it clear that the 
SEC is the primary regulator of MMFs and should take the lead in driving reform. 
Last June, the SEC proposed regulations intended to reduce the risks presented by 
MMFs, and we expect that the SEC will issue a final rule later this year that will 
address the vulnerabilities identified by the Council. 

Another area of growing concern for Treasury and the Council is the vulnerability 
of our financial sector infrastructure to cyber events. Cyber threats to financial in- 
stitutions and markets are growing in both frequency and sophistication. The chang- 
ing nature of these cyber threats prompted the Council last year to highlight oper- 
ational risk, and cybersecurity in particular, as worthy of heightened risk manage- 
ment and supervisory attention. Council member agencies are providing guidance 
to financial firms concerning appropriate governance mechanisms, information secu- 
rity procedures and testing, adequate backup systems, and emergency business con- 
tinuity and recovery plans. 

To maintain data security, safeguard the integrity of markets, and preserve con- 
sumer and investor confidence, the U.S. Government and the financial sector have 
come together to identify financial system vulnerabilities, improve the resilience of 
our financial system, and refine incident management protocols. A public-private 
partnership is necessary to combine the resources and capabilities of the Govern- 
ment with those of the private sector. In a public meeting in December, the Council 
highlighted this partnership by engaging both public sector and private sector lead- 
ers to discuss their efforts. They emphasized information sharing, declassification of 
threat information, and strengthening the resilience of firms outside the financial 
services sector that are integral to the functioning of the sector. 

In addition to its role as a Council member agency. Treasury serves as the sector- 
specific agency for the financial sector with a leading role in policy development and 
a coordinating role in incident response. In this role. Treasury has sought to in- 
crease engagement, improve coordination, and facilitate information-sharing on 
cybersecurity issues with colleagues across the Federal Government, particularly 
those involved with national security, homeland security, and law enforcement. We 
communicate regularly with senior officials in these areas on matters specific to 
cybersecurity, both in the context of incidents and on more general operations and 
policy matters. Importantly, Treasury is focused on protecting the financial sector 
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as a whole, from the largest financial institutions and exchanges to community 
banks and credit unions. Accordingly, we work to reach institutions of all sizes. 

I would also like to highlight for the Committee a few areas where Treasury in- 
tends to direct significant attention and resources this year to complete key out- 
standing pieces of reform. The United States responded to the financial crisis ag- 
gressively and on a bipartisan basis to make our domestic system safer and more 
secure. But given the global nature of our financial system, we must continue work- 
ing with other regulators to forge compatible rules so that reforms in other jurisdic- 
tions are as strong as our own. From the outset of the crisis, the time and energy 
we put in to domestic regulatory reform have been paired with international efforts 
to promote high-quality standards, build a level playing field, and reduce risk. We 
have made considerable progress through the G-20 and the Financial Stability 
Board in designing a more stable and resilient global financial system. But design 
is not sufficient. Implementation and follow-through are key. 

Later this month, the G-20 finance ministers will meet in Australia and the 
United States will use that opportunity to call on the world’s largest economies to 
bear down even more forcefully on implementation. And next week I will be making 
a trip to several countries in Asia to discuss their progress on financial regulatory 
reform. 

In 2014, we will take steps to make sure that global banks meet the high stand- 
ards we have set. That means moving swiftly to build strong and high-quality cap- 
ital, properly risk-weight assets, curb leverage, and build strong liquidity buffers to 
protect themselves in times of crisis. Several years ago, the G— 20 recommended that 
trading, reporting, and clearing of over-the-counter derivatives be in place by now. 
The United States has forged ahead in getting that done. We need to make sure 
these recommendations are put in place around the globe. There will be difficult 
cross-border issues to manage, and these are made more complex because other na- 
tions are moving far more slowly than the United States. 

One area that will require significant international cooperation is the task of en- 
suring not only that all derivatives transactions are reported to trade repositories, 
but that the information collected can be used for the purposes it was intended: 
bringing transparency to our derivatives markets and helping regulators and mar- 
ket participants develop more insight into the types and levels of exposure through- 
out the financial system. A great deal of work still needs to be done to ensure that 
the data reported by industry and collected by regulators will be as useful as pos- 
sible, or we will be at risk of not achieving that goal. The data are fragmented, with 
many different trade repositories, within and across jurisdictions, collecting different 
kinds of information in different ways, keeping us from putting all of that informa- 
tion together to develop a full picture of the market. We need to roll up our sleeves 
and address any obstacles to making these data useful for market participants and 
for regulators who are monitoring financial stability. 

Treasury will also continue to engage closely with regulators in the United States 
and abroad to strengthen our ability to wind down failing financial companies while 
minimizing the negative impact on the rest of the financial system and the global 
economy. Major financial institutions operate globally, and cross-border coordination 
is necessary for resolution of these firms to be effective. Our agenda in the coming 
year will focus heavily on completing the work underway on international arrange- 
ments that establish how home and host authorities will cooperate to wind down 
a globally active firm in an orderly way. Treasury and the regulators will continue 
to closely collaborate with our international counterparts through forums like the 
Financial Stability Board and on a bilateral basis to address obstacles to resolving 
large, cross-border firms. 

In addition to this critical international reform agenda, there is still much to be 
done domestically. As was the case with the Volcker Rule, Secretary Lew, as the 
Chairperson of the Financial Stability Oversight Council, is responsible for coordi- 
nating the joint rulemakings to implement Section 941 of the Dodd-Frank Act, the 
so-called “risk-retention” rule. This rule generally requires issuers of asset-backed 
securities to retain an interest in the securities they sell to third parties. The rule 
was re-proposed last year, and staff from Treasury, the banking agencies, the Fed- 
eral Housing Finance Agency, the Department of Housing and Urban Development, 
and the SEC have met regularly — including just last week — to review comments, 
analyze data, and coordinate on drafting the final rule. Completion of these regula- 
tions in 2014 is a priority for Treasury. 

And finally, in considering risks to financial stability, we cannot ignore fiscal de- 
velopments at home. Last year. Congress passed a temporary suspension of the debt 
limit, and that temporary suspension lasts only through February 7, which is tomor- 
row. After that, in the absence of Congressional action. Treasury will be forced to 
use extraordinary measures to continue to meet its obligations. We now forecast 
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that we are likely to exhaust these measures by the end of this month. And even 
though this is an estimate, it is clear that extraordinary measures will not last for 
an extended period. 

It would be a mistake to wait until the 11th hour to get this done. The fact is, 
simply delaying action on the debt limit can cause harm to our economy, financial 
markets, and taxpayers. We are already seeing some volatility in Treasury bills that 
mature after February 7. Around the time of last year’s delay, we saw consumer 
and business confidence drop, and investors and market participants publicly ques- 
tion whether it was too risky to hold certain types of U.S. Government debt. Such 
a question should be unthinkable. 

Given these realities, it is important that Congress move right away to increase 
our borrowing authority. 

The last year was a busy one, and we made substantial progress toward the goal 
of implementing the reforms set forth in the Dodd-Frank Act and adopting related 
reforms to make our financial system stronger, more stable and more focused on ful- 
filling its core function of facilitating the growth of the broader economy. That does 
not mean we will be able to releix our guard. To quote Winston Churchill: “This is 
not the end. It is not even the beginning of the end. But it is, perhaps, the end of 
the beginning.” Constant evolution in the financial system and the activities of fi- 
nancial institutions will require regulators to be flexible and ready to address new 
threats to the financial system. 
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Chairman Johnson, Ranking Member Crapo, and other Members of the Com- 
mittee, thank you for the opportunity to testify on the Federal Reserve’s activities 
in mitigating systemic risk and implementing the Dodd-Frank Wall Street Reform 
and Consumer Protection Act (Dodd-Frank Act). In today’s testimony, I will provide 
an update on the Federal Reserve’s recent activities pertaining to the implementa- 
tion of the Dodd-Frank Act and describe our key regulatory and supervisory prior- 
ities for 2014. I will also discuss the Federal Reserve’s expectations with regard to 
information security at the financial institutions it oversees. Since testifying before 
this Committee in July 2013, the Federal Reserve and other banking supervisors 
have made considerable progress in implementing the congressional mandates in 
the Dodd-Frank Act and otherwise improving financial stability and mitigating sys- 
temic risks. While these efforts have helped to produce a sounder, more stable, and 
more resilient financial system, work remains to be done to address the problems 
of “too-big-to-fail” and systemic risk. 

Recent Dodd-Frank Act Implementation Milestones 

Since your last oversight hearing, the Federal Reserve, often in tandem with some 
or all of the other agencies represented at this hearing, has made progress on a 
number of important Dodd-Frank Act reforms. 

Liquidity rules for large banking firms 

In October, the Federal Reserve and the other U.S. banking agencies issued a pro- 
posed rule, consistent with the enhanced prudential standards requirements in sec- 
tion 166 of the Dodd-Frank Act, which would implement the first broadly applicable 
quantitative liquidity requirement for U.S. banking firms. Liquidity standards for 
large U.S. banking firms are a key contributor to financial stability, as they work 
in concert with capital standards, stress testing, and other enhanced prudential 
standards to help ensure that large banking firms have a sufficiently strong liquid- 
ity risk profile to prevent creditor and counterparty runs. 

The proposed rule’s liquidity coverage ratio, or LCR, would require covered bank- 
ing firms to hold minimum amounts of high-quality liquid assets, such as central 
bank reserves and high-quality Government and corporate debt, that could be con- 
verted quickly and easily into cash sufficient to meet expected net cash outflows 
over a short-term stress period. The proposed LCR would apply to internationally 
active banking organizations — that is, to bank holding companies and savings and 
loan holding companies with $250 billion or more in total consolidated assets or $10 
billion or more in on-balance-sheet foreign exposures. The proposal would also apply 
a less stringent, modified LCR to bank holding companies and savings and loan 
holding companies that are not internationally active, but that have more than $50 
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billion in total assets. The proposal would not apply to bank holding companies with 
less than $50 billion in total assets. 

The proposal’s LCR is based upon a liquidity standard agreed to by the Basel 
Committee on Banking Supervision, but is more stringent than the Basel Com- 
mittee standard in several areas, including the range of assets that will qualify as 
high-quality liquid assets and the assumed rate of outflows for certain kinds of 
funding. In addition, the proposed rule’s transition period is shorter than that in 
the Basel Committee standard. The proposed accelerated phase-in of the U.S. LCR 
reflects our objective that large U.S. banking firms maintain the improved liquidity 
positions that they built following the financial crisis, in part due to our supervisory 
oversight. We believe the proposed LCR should help ensure that these improved li- 
quidity positions will not weaken as memories of the financial crisis fade. 

Stress testing and eapital planning requirements 

The comprehensive stress testing conducted by the Federal Reserve, pursuant to 
the Dodd-Frank Act and in connection with the annual Comprehensive Capital 
Analysis and Review (CCAR), has become a key part of our supervisory efforts for 
large banking firms, and we are continuing to develop and expand the scope of this 
exercise. Most recently, the Federal Reserve issued proposed supervisory guidance 
regarding internal stress testing by banking firms with total consolidated assets be- 
tween $10 billion and $50 billion as mandated by the Dodd-Frank Act and issued 
interim final rules clarifying how banking firms should incorporate the revised 
Basel III regulatory capital framework into their capital projections for the CCAR 
and Dodd-Frank Act stress testing cycles that began in the fall. 

We are continuing to improve the implementation of our stress testing framework 
by refining the formulation of the hypothetical macroeconomic scenarios that form 
the basis of the stress tests. In designing coherent stress scenarios, we draw on 
many of the modeling tools used to inform monetary policy, but also aim to reflect 
the fact that not all significant risks facing banks arise in typical recessions. As a 
result, our scenarios now generally incorporate other adverse developments, such as 
an exceptionally large decline in housing prices, the default of the largest 
counterparty, and a worsening of global economic conditions more severe than might 
normally be expected to accompany a deep recession in the United States. In order 
for our stress testing to remain focused on key vulnerabilities facing the banking 
system, our stress scenarios will evolve further over time as banking firms’ risk 
characteristics and business models evolve, the relationship between scenario vari- 
ables and banking firm performance shifts, and the economic and market environ- 
ment in which banking firms operate changes. Over the past 6 months, the Federal 
Reserve also has increased the transparency of our capital planning and stress test- 
ing work. We have published both a policy statement describing the scenario devel- 
opment process for future capital planning and stress testing exercises and a paper 
discussing our expectations for internal capital planning at large banking firms and 
the range of practices we have observed at these companies during the past three 
CCAR exercises. The transparency of our stress testing processes complements our 
enhanced transparency around the results of the exercises and our assessments of 
firms’ capital planning, all of which aim to give investors, analysts, and the public 
valuable information about firms’ financial conditions and resiliency to stress. 

Volcker Rule 

In December, the U.S. banking agencies, the Securities and Exchange Commission 
(SEC), and the Commodity Futures Trading Commission finalized the Volcker Rule 
to implement section 619 of the Dodd-Frank Act. As you know, the Volcker Rule 
prohibits banking entities from engaging in short-term proprietary trading of cer- 
tain securities and derivatives for their own account. The Volcker Rule also imposes 
limits on banking entities’ investments in, and relationships with, hedge funds and 
private equity funds. The finalization of this rule took a substantial amount of time 
and effort in part because of the intrinsic challenges in distinguishing between the 
proprietary trading that is outlawed by the Dodd-Frank Act and the hedging and 
market making activities that are allowed by the Act. 

The ultimate success of the final rule will depend on how well the implementing 
agencies supervise and enforce the rule. While the Federal Reserve’s supervisory 
role will be less than that of the Office of the Comptroller of the Currency and the 
SEC, we will continue to work with the other implementing agencies to develop an 
effective and consistent supervisory framework and to ensure that the Volcker Rule 
is implemented in a manner that upholds the aims of the statute, while not jeopard- 
izing important activities such as market making and hedging. In pursuit of this 
goal, shortly after the adoption of the Volcker Rule, the Federal Reserve and the 
other implementing agencies agreed to create an interagency working group, which 
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has already begun to meet. In mid-January, the five implementing agencies ap- 
proved an interim final rule to permit banking entities to retain interests in certain 
collateralized debt obligations backed primarily by trust preferred securities that 
would otherwise be subject to the Volcker Rule’s covered fund investment prohibi- 
tions. 

Derivatives push-out 

In December, the Federal Reserve also approved a final rule clarifying the treat- 
ment of uninsured U.S. branches and agencies of foreign banks under section 716 
of the Dodd-Frank Act, which is commonly known as the derivatives push-out provi- 
sion. The provision, which became effective in July 2013, generally prohibits certain 
types of Federal assistance, such as discount window lending and deposit insurance, 
to swap entities such as swap dealers and major swap participants. Insured deposi- 
tory institutions that are swap entities may avail themselves of certain statutory 
exceptions and are eligible for a transition period of up to 2 years to comply with 
the provision. Under the final rule, uninsured U.S. branches and agencies of foreign 
banks are treated as insured depository institutions for the purposes of section 716 
and therefore qualify for the same statutory exceptions as insured depository insti- 
tutions and are eligible to apply for the same transition period relief. The final rule 
also establishes a process for State member banks and uninsured State branches 
or agencies of foreign banks to apply to the Federal Reserve for the transition period 
relief. 

Federal Reserve emergency lending authority 

Also in December, the Federal Reserve issued a proposal relating to its emergency 
lending authority in section 13(3) of the Federal Reserve Act that would implement 
sections 1101 and 1103 of the Dodd-Frank Act. As required by these statutory provi- 
sions, the proposed rule is designed to ensure that any emergency lending program 
or facility is adequately secured by collateral to protect teixpayers from loss and is 
for the purpose of providing liquidity to the financial system, and not to aid an indi- 
vidual failing financial company. 

Risk retention 

Section 941 of the Dodd-Frank Act generally requires firms to retain credit risk 
in securitization transactions that they sponsor. In August, the U.S. banking agen- 
cies, the Federal Housing Finance Agency, the Department of Housing and Urban 
Development, and the SEC revised a proposed rule issued in 2011 to implement that 
statutory provision. The proposed rule would provide securitization sponsors with 
several options to satisfy the risk retention requirements in section 941 and, as re- 
quired by the Dodd-Frank Act, would exempt certain securitizations, including 
securitizations of “qualified residential mortgages” (QRM), from risk retention. The 
revised proposal would define QRM to have the same meaning as the term “quali- 
fied mortgage” established by the Consumer Financial Protection Bureau in January 
2013, and, as such, would include a maximum back-end debt-to-income ratio of 43 
percent, a 30-year limit on the term of the mortgage, and a 3 percent cap on points 
and fees. While the revised proposal’s definition of QRM has been broadened as 
compared to that in the original proposal, it continues to exclude many loans with 
riskier product features, such as home-equity lines of credit; reverse mortgages; and 
loans with negative amortization, interest-only, and balloon payments. The revised 
proposal also requested comment on an alternative, stricter definition of QRM that 
would include a maximum 70 percent loan-to-value ratio requirement and certain 
credit history standards in addition to the qualified mortgage criteria. The comment 
period for the revised proposal closed at the end of October, and the agencies are 
now carefully reviewing comments. 

Assessment fees 

Section 318 of the Dodd-Frank Act directs the Federal Reserve to collect assess- 
ment fees equal to the expenses it estimates are necessary or appropriate for the 
supervision and regulation of large financial companies. The Federal Reserve issued 
a final rule implementing this statutory provision in August of last year. The rule, 
which became effective in October, sets forth how the Federal Reserve determines 
which companies are charged, estimates the applicable supervisory expenses of the 
Federal Reserve related to covered companies, determines each covered company’s 
assessment fee, and bills for and collects the assessment fees. Payments for the 
2012 assessment period were due in December, and the Board collected approxi- 
mately $433 million from 72 companies. As required by law, these fees were trans- 
ferred to the U.S. Treasury. 
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Key Regulatory Priorities for 2014 

The Federal Reserve’s regulatory program in 2014 will concentrate on establishing 
enhanced prudential standards for large U.S. banking firms and foreign banks oper- 
ating in the United States pursuant to section 165 of the Dodd-Frank Act and on 
further enhancing the resiliency and resolvability of U.S. -based global systemically 
important banks, or GSIBs. 

Enhanced prudential standards lor large U.S. and foreign banking firms 

The Federal Reserve has issued proposed rules, pursuant to section 165 of the 
Dodd-Frank Act, which would establish enhanced prudential standards for U.S. 
bank holding companies and foreign banking organizations with total global consoli- 
dated assets of $50 billion or more. We anticipate that these rules will be finalized 
in the near term. For the large U.S. bank holding companies, the outstanding pro- 
posed standards include liquidity requirements, risk-management requirements, 
single-counterparty credit limits, and an early remediation regime. Finalizing these 
outstanding proposals would complement the capital planning, resolution planning, 
and stress testing requirements for large U.S. bank holding companies that the 
Board previously finalized. 

The Federal Reserve has also proposed enhanced prudential standards for large 
foreign banking organizations with a U.S. banking presence. Prior to the financial 
crisis, the Federal Reserve’s approach to regulating the U.S. operations of foreign 
banks rested on substantial structural flexibility for the foreign bank, substantial 
reliance by the Federal Reserve on the supervisory and regulatory framework of the 
foreign bank’s home country, and substantial expectations of support by the parent 
foreign bank of its U.S. operations. A number of developments since the 1990s 
prompted a reevaluation of this approach to the regulation of foreign banks in the 
United States, just as the Federal Reserve had in the past reevaluated its approach 
in response to changes in the size and scope of foreign banking activities and finan- 
cial market changes. Most notably, the U.S. operations of foreign banks in the years 
leading up to the financial crisis grew much larger and became much more complex 
and interconnected with the rest of the U.S. financial system. For example, 5 of the 
top 10 U.S. broker-dealers are currently owned by foreign banks and together hold 
almost $1.2 trillion in assets. The U.S. operations of large foreign banks also became 
much more dependent on the most unstable sources of short-term wholesale funding 
and established very substantial net credit exposures to the parent foreign bank in 
the years leading up to the financial crisis. As a result, during the crisis, these 
banks were heavy users of the Federal Reserve’s liquidity facilities. 

Under the proposed rule, foreign banking organizations with a large U.S. presence 
would be required to organize their U.S. subsidiaries under a single U.S. inter- 
mediate holding company that would serve as a platform for consistent supervision 
and regulation. These U.S. intermediate holding companies would be subject to the 
same generally applicable risk-based capital, leverage, and capital planning require- 
ments that apply to U.S. bank holding companies. In addition, U.S. intermediate- 
holding companies and the U.S. branches and agencies of foreign banks with a large 
U.S. presence would be required to meet liquidity requirements similar to those ap- 
plicable to large U.S. bank holding companies. The Federal Reserve issued the pro- 
posed rule to promote the resiliency of the U.S. operations of foreign banking organi- 
zations and, in turn, U.S. financial stability. 

Other regulatory efforts to improve the resiliency and resolvability of GSIBs 

The financial crisis made clear that policymakers must devote significant atten- 
tion to the potential threat to financial stability posed by our most systemic finan- 
cial firms. Accordingly, the Federal Reserve has been focused on developing regu- 
latory proposals that are designed to reduce the probability of failure of a GSIB to 
levels that are meaningfully below those for less systemically important firms and 
materially reduce the consequences to the broader financial system and economy in 
the event of failure of a GSIB. Our goal has been to establish regulations that force 
GSIBs to internalize the large negative externalities associated with their disorderly 
failure and that aim to offset any remaining too-big-to-fail subsidies these firms may 
enjoy. 

GSIB risk-based capital surcharges 

A key component of the Federal Reserve’s program to improve GSIB resiliency is 
our forthcoming proposal to impose graduated common equity risk-based capital 
surcharges on GSIBs. This proposal will be based on the GSIB capital surcharge 
framework developed by the Basel Committee, under which the size of the sur- 
charge for an individual GSIB is a function of the firm’s systemic importance. We 
currently are working on the implementing regulation for the Basel Committee 
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GSIB risk-based capital surcharge framework and expect to issue a proposal fairly 
soon. By further increasing the amount of the most loss-absorbing form of capital 
that is required to be held by the firms that potentially pose the greatest risk to 
financial stability, we intend to reduce the probability of failure of these firms to 
offset the greater negative externalities their failure would have on the financial 
system and to offset any funding advantage such firms may have because of their 
perceived status as too-big-to-fail. 

GSIB leverage surcharges 

To further bolster the regulatory capital regime for the most systemic U.S. bank- 
ing firms, the Federal Reserve and the other U.S. banking agencies have proposed 
to strengthen the internationally agreed-upon Basel III leverage ratio as applied to 
U.S. GSIBs. This proposal would require U.S. GSIBs to maintain a tier 1 capital 
buffer of at least 2 percent above the minimum Basel III supplementary leverage 
ratio of 3 percent, for a total of 5 percent. In light of the significantly higher risk- 
based capital rules for GSIBs under Basel III, imposing a stricter leverage require- 
ment on these firms is appropriate to help ensure that the leverage ratio remains 
a relevant backstop for these firms. And we have calibrated the proposed GSIB le- 
verage surcharge thresholds to raise the leverage standards for these firms by an 
amount that is roughly commensurate with the Basel III increase in the risk-based 
capital thresholds for these firms. We expect to finalize this proposal in the coming 
months. 

We also intend to incorporate in the United States the revisions to the Basel III 
leverage ratio recently agreed to by the Basel Committee. These changes would 
strengthen the ratio in a number of ways, including by introducing a much stricter 
treatment of credit derivatives. 

Resolvability of GSIBs 

Our enhanced regulation of GSIBs also includes efforts to improve their resolv- 
ability. The Federal Reserve’s resolvability efforts include work with the Federal De- 
posit Insurance Corporation (FDIC) to improve the bankruptcy resolution planning 
of large banking firms and work to assist the FDIC in making large banking firms 
more resolvable under the Orderly Liquidation Authority (OLA) of the Dodd-Frank 
Act. 

The Federal Reserve is consulting with the FDIC on a proposal that would require 
the largest, most complex U.S. banking firms to maintain a minimum amount of 
long-term unsecured debt outstanding at the holding company level. While min- 
imum capital requirements are designed to cover losses up to a certain statistical 
probability, in the event that the equity of a financial firm is wiped out, successful 
resolution without taxpayer assistance would be most effectively accomplished if a 
firm has sufficient long-term, unsecured debt to absorb additional losses and to re- 
capitalize the business transferred to a bridge operating company. The presence of 
debt explicitly identified for possible bail-in on a “gone concern” basis should help 
other creditors clarify their positions in an orderly liquidation process. 

A requirement for long-term debt could have the benefit of improving market dis- 
cipline, since the holders of that debt would know they faced the prospect of loss 
should the firm enter resolution. In addition, this requirement should have the ef- 
fect of preventing the erosion of the current long-term debt holdings of GSIBs, 
which, by historical standards, are currently at fairly high levels. Absent a min- 
imum requirement of this sort, there likely would be declines in these levels as the 
flatter yield curve of recent years steepens. We have recently seen some evidence 
of the beginnings of such declines. At the international level, the Federal Reserve 
is working through the Basel Committee and the Financial Stability Board (FSB) 
to develop an international proposal for gone concern loss absorbency requirements 
for GSIBs. 

Regulatory Reform, Shadow Banking, and Short-term Wholesale Funding 

“Shadow banking” is a term used to describe a wide variety of activities involving 
credit intermediation and maturity transformation outside the insured depository 
system. These activities are often funded through collateralized borrowing arrange- 
ments known as “securities financing transactions,” a term that generally refers to 
repos and reverse repos, securities lending and borrowing, and securities margin 
lending. Some of this activity involves the short-term funding of highly liquid securi- 
ties, and directly supports the current functioning of important markets, including 
those in which monetary policy is executed. Securities financing transactions can 
also directly or indirectly fund less liquid instruments. 

In normal times, lending through securities financing transactions, even when 
backed by less-liquid instruments, appears low-risk because of the fact that the 
transactions are usually short-term, over-collateralized, and exempt from the auto- 
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matic stay in insolvency proceedings. But during times of stress, lenders may be- 
come unwilling to lend against a wide range of assets, including very high-quality 
securities, forcing liquidity-strained institutions to rapidly liquidate positions. The 
rapid constriction of large amounts of short-term wholesale funding and associated 
asset liquidations in times of stress in the financial markets can result in large fire 
sale externalities, direct and indirect contagion to other financial firms, and disrup- 
tions to financial stability. A dynamic of this type engulfed the financial system in 
2008. 

While the term “shadow hanking” suggests activity outside of the banking system, 
reality is more complex. In many cases, shadow banking takes place within, or in 
close proximity to, regulated financial institutions. Most of the largest banking orga- 
nizations rely to a significant extent on securities financing transactions and other 
forms of short-term wholesale funding to finance their operations, and if such a firm 
were to come under stress, the fire sale externalities could he very similar to those 
we saw during the financial crisis. Banking organizations also participate in shadow 
hanking by lending to unregulated shadow hanks, and by providing shadow banks 
with credit and liquidity support that enhances their ability to borrow from other 
market participants. In still other cases, unregulated shadow hanks are able to op- 
erate without coming into contact with the banking system. As prudential require- 
ments for regulated firms become more stringent, it is likely that market partici- 
pants will face increasing incentives to move additional activity heyond the regu- 
latory perimeter. 

Since the crisis, regulators have collectively made progress in addressing some of 
the close linkages between shadow banking and traditional banking organizations. 
We have increased the regulatory charges on support that banks provide to shadow 
banks; for example, by including within the LCR requirements for banks to hold li- 
quidity buffers when they provide credit or liquidity facilities to securitization vehi- 
cles or other special purpose entities. Changes have also been made to accounting 
and capital rules that make it more difficult for banks to reduce the amount of cap- 
ital they are required to hold by shifting assets off balance sheet. 

We are also addressing risks from derivatives transactions, which can pose some 
of the same contagion and financial stability risks as short-term wholesale funding 
in the event that large volumes of derivatives positions must be liquidated quickly. 
Standardized derivatives transactions are currently in the process of moving to cen- 
tral clearing, while nonstandardized trades will be subject to margin requirements. 
In September 2013, the Basel Committee and the International Organization of Se- 
curities Commissions adopted final standards on margin requirements that will re- 
quire financial firms and systemically important nonfinancial entities to exchange 
initial and variation margin on a bilateral basis for noncleared derivatives trades. 
The Federal Reserve and other Federal financial regulatory agencies are now work- 
ing to modify the outstanding U.S. proposals on noncleared derivatives margin re- 
quirements to more closely align them with the requirements in this landmark glob- 
al a^eement. 

Still, we have yet to address head-on the financial stability risks from securities 
financing transactions and other forms of short-term wholesale funding that he at 
the heart of shadow banking. There are two fundamental goals that policy should 
be designed to achieve. The first is to address the specific financial stability risks 
posed by the use of large amounts of short-term wholesale funding by the largest, 
most complex banking organizations. The second is to respond to the more general 
macroprudential concerns raised by short-term collateralized borrowing arrange- 
ments throughout the financial system. 

One option to address concerns specific to large, complex banking firms would be 
to pursue modifications to bank liquidity standards that would require firms that 
have matched books of securities financing transactions to hold larger liquid asset 
buffers or maintain more stable funding structures. The Basel Committee has re- 
cently proposed changes to its Net Stable Funding Ratio that would move in this 
direction. 

A complementary bank regulatory option would be to require banking firms that 
rely on greater amounts of short-term wholesale funding to hold higher levels of 
capital. The rationale behind this approach would be that while solid requirements 
are needed for both capital and liquidity adequacy at large banking firms, the rela- 
tionship between the two also matters. For example, a firm with little reliance on 
short-term wholesale funding is less susceptible to runs and, thus, to need to engage 
in fire sales that can depress capital levels at the firm and impose externalities on 
the broader financial system. A capital surcharge based on short-term wholesale 
funding levels would add an incentive for firms to use more stable funding and, 
where a firm concluded that higher levels of such funding were nonetheless eco- 
nomically sensible, the surcharge would increase the loss absorbency of the firm. 
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Such a requirement would be consistent with, though distinct from, the long-term 
debt requirement that the Federal Reserve is developing to enhance prospects for 
resolving large firms without taxpayer assistance. 

Turning to policies that could be used to address concerns about short-term 
collateralized borrowing arrangements more broadly throughout the financial sys- 
tem, the Federal Reserve is also carefully analyzing proposals to establish minimum 
numerical floors for collateral haircuts in securities financing transactions. In its 
most universal form, a system of numerical haircut floors for securities financing 
transactions would require any entity that wants to borrow against a security to 
post a minimum amount of excess margin to its lender that would vary depending 
on the asset class of the collateral. Like minimum margin requirements for deriva- 
tives, numerical haircut floors for securities financing transactions would serve as 
a mechanism for limiting the buildup of leverage at the transaction level, and could 
mitigate the risk of pro-cyclical margin calls. 

In August, the FSB issued a consultative document that outlined a framework of 
minimum margin requirements for securities financing transactions. The FSB’s cur- 
rent proposal has some significant limitations, however, including (1) a scope of ap- 
plication that is limited to transactions in which a regulated entity lends to an un- 
regulated entity against nonsovereign collateral, and (2) a relatively low calibration. 
If the scope of the FSB’s proposal was expanded to cover a much broader range of 
firms and securities and the calibration of the proposal was strengthened, the FSB 
proposal could represent a significant step toward addressing financial stability 
risks in short-term wholesale funding markets. 

Information Security at Financial Institutions 

Before closing, I would like to discuss briefly the Federal Reserve’s expectations 
with regard to information security at the financial institutions it oversees, as re- 
cent events have led to an increased focus on the potential for cyber attacks on the 
information technology infrastructures of these institutions. 

Cyber attacks on financial institutions and the data they house pose significant 
risks to the economy and to national security more broadly. While some attacks are 
conducted with the intent of disrupting customer access and normal business oper- 
ations of financial institutions, other attacks include malicious software implanted 
to destroy data and systems, intrusions to gain access to unauthorized information, 
and account takeovers for financial fraud. The varied and evolving nature of these 
attacks make them a continuing challenge to address. 

The Federal Reserve requires the financial institutions it regulates to develop and 
maintain effective information security programs that are tailored to the complexity 
of each institution’s operations and that include steps to protect the security and 
confidentiality of customer information. In addition, to address any data breaches 
that occur, the Federal Reserve requires supervised financial institutions to develop 
and implement programs to respond to events in which individuals or firms obtain 
unauthorized access to customer information held by the institution or its service 
providers. Specifically, when a financial institution becomes aware of an incident of 
unauthorized access to sensitive customer information, the institution should con- 
duct a reasonable investigation to promptly determine the likelihood that the infor- 
mation has been or will be misused; assess the nature and scope of the incident; 
identify the types of information that have been accessed or misused; and undertake 
risk mitigation, which can include notif 3 dng customers, monitoring for unusual ac- 
count activity, and re-issuing credit and debit cards. 

The Federal Reserve’s approach to information security supervision leverages in- 
ternal firm expertise, published guidance, and collaboration between the Board, the 
Reserve Banks, and other U.S. banking agencies to promote effective protection of 
data and systems by supervised institutions. The Reserve Banks employ examiners 
specializing in information technology supervision to conduct the bulk of their infor- 
mation security examination activities. Federal Reserve staff has also developed 
guidance, some collaboratively with other banking regulators, to define expectations 
for information security and data breach management. Nine significant information 
security guidance documents have been issued since July 2001. We are continuing 
to focus on this risk through our participation in the Federal Financial Institutions 
Examination Council’s recently established working group aimed at enhancing su- 
pervisory initiatives on cybersecurity and critical infrastructure protection. 

Although many agencies throughout the U.S. Government are working to address 
problems posed by cyber attacks — in part as a result of initiatives such as the execu- 
tive order issued last February that directed the National Institute of Standards 
and Technology to develop a cybersecurity framework — we believe there should be 
increased attention and coordination across the Federal Government to support the 
security of the Nation’s financial infrastructure. In particular, we support efforts to 
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leverage the technical capahilities of law enforcement and national security agencies 
with respect to cyher threats and attacks at financial institutions. Financial regu- 
lators set expectations for security programs and controls at financial institutions, 
and they help to validate that these expectations are being met. However, financial 
regulators do not maintain the technical capacity to identify many of the most so- 
phisticated threats, to respond to threats as they occur, or to evaluate the alter- 
natives for immediate and effective responses to new types of viruses or attacks. We 
appreciate the efforts of U.S. Government agencies to date and encourage continued 
coordination across agencies to ensure the safety and security of the financial sys- 
tem. 

Conclusion 

The financial regulatory architecture is considerably stronger today than it was 
in the years leading up to the crisis, but work remains to complete the post-crisis 
global financial reform program. Over the coming year, the Federal Reserve will be 
working with other U.S. financial regulatory agencies, and with foreign central 
banks and regulators, to propose and finalize a number of the important remaining 
initiatives. In this continuing endeavor, our goal is to preserve financial stability at 
the least cost to credit availability and economic growth. We are focused on reducing 
the probability of failure of systemic financial firms, improving the resolvability of 
systemic financial firms, and monitoring and mitigating emerging systemic risks. 

Thank you for your attention. I would be pleased to answer any questions you 
might have. 
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Chairman, Federal Deposit Insurance Corporation 
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Chairman Johnson, Ranking Member Crapo and Members of the Committee, 
thank you for the opportunity to testify today on the Federal Deposit Insurance Cor- 
poration’s (FDIC) actions to implement the Dodd-Frank Wall Street Reform and 
Consumer Protection Act (Dodd-Frank Act). 

The FDIC has made significant progress in recent months in implementing the 
new authorities granted by the Act.^ My testimony will address several topics. First, 
I will discuss the recently adopted regulation implementing the Volcker Rule and 
the actions we have taken on the risk retention and qualified mortgage rules. I will 
then provide an update on our progress in implementing the authority provided to 
the FDIC to resolve systemically important financial institutions and proposals to 
improve the quantity and quality of capital. Finally, I will address data integrity 
issues for the banking industry. 

The Volcker Rule 

Section 619 of the Dodd-Frank Act, also known as “the Volcker Rule,” requires 
the Securities and Exchange Commission (SEC), the Commodities Futures Trading 
Commission (CFTC), and the Federal banking agencies to adopt reflations to pro- 
hibit banking entities from engaging in proprietary trading activities and to limit 
the ability of banking entities to invest in, or have certain relationships with, hedge 
funds and private equity funds. In general terms, proprietary trading occurs when 
an entity places its own capital at risk to engage in the short-term bu3dng and sell- 
ing of securities primarily to profit from short-term price movements, or enters into 
derivative products for similar purposes. 

On December 10, 2013, the FDIC, along with the Federal Reserve Board (FRB), 
the Office of the Comptroller of the (Currency (OCC), the SEC, and the CFTC, adopt- 
ed a final rule implementing Section 619. The Volcker Rule is designed to strength- 
en the financial system and constrain the level of risk undertaken by firms that 
benefit, directly or indirectly, from the Federal safety net provided by Federal de- 
posit insurance or access to the Federal Reserve’s discount window. The challenge 
to the agencies in implementing the Volcker Rule was to prohibit the types of pro- 
prietary trading and investment activity that Congress intended to limit, while al- 
lowing banking organizations to provide legitimate intermediation in the capital 
markets. 

In finalizing this rule, the agencies carefully reviewed more than 18,000 com- 
ments and made changes to the original proposal to address commenters’ concerns. 
The final rule is intended to preserve legitimate market making and hedging activi- 


summary of the FDIC’s progress implementing the provisions of the Dodd-Frank Act is 
attached to this testimony. 
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ties while maintaining market liquidity and vibrancy. The final rule also is designed 
to reduce overall burden by focusing requirements on those institutions that are 
more likely to engage in proprietary trading and covered fund activities. 

The final rule is structured around the three main elements of Section 619: 1) the 
proprietary trading prohibition, 2) the covered funds prohibition, and 3) the compli- 
ance requirements. 

Proprietary Trading Prohibition 

In general, the final rule prohibits proprietary trading by banking entities. How- 
ever, consistent with Section 619, the final rule includes exemptions for under- 
writing, market making, and risk-mitigating hedging, among other exemptions pro- 
vided in the final rule. 

The underwriting exemption requires that a banking entity act as an underwriter 
for a distribution of securities and that the trading desk’s underwriting position be 
related to that distribution. The underwriting position must be designed not to ex- 
ceed the reasonably expected near-term demands of customers. 

The exemption for market making-related activities requires that a trading desk 
routinely stand ready to purchase and sell one or more types of financial instru- 
ments. The trading desk’s inventory of these instruments must be designed not to 
exceed the reasonably expected near-term demands of customers. 

Under the final rule, determining customer demand is based on such things as 
historical demand and consideration of current market factors. A market-making 
desk may hedge the risks of its market-making activity under this exemption, pro- 
vided it is acting in accordance with certain risk management procedures required 
under the final rule. 

The requirements of the risk-mitigating hedging exemption are generally designed 
to ensure that hedging activity is limited to risk-mitigating hedging in purpose and 
effect. For instance, hedging activity must be designed to demonstrably reduce or 
significantly mitigate specific, identifiable risks of individual or aggregated positions 
of the banking entity. In addition, the banking entity must conduct an analysis (in- 
cluding a correlation analysis) supporting its documented hedging strategy, and the 
effectiveness of hedges must be monitored and, as necessary, recalibrated on an on- 
going basis. 

Under the final rule, a banking entity would be allowed to hedge individual expo- 
sures or aggregate exposures — for example, a specific loan book. However, a banking 
entity would not be allowed to engage in so-called “macro hedging.” The result is 
to allow cost-effective, risk-reducing hedging while preventing banking entities from 
entering into speculative transactions under the guise of hedging. 

The final rule allows a bank to engage in proprietary trading in certain Govern- 
ment obligations and generally does not prohibit certain trading activities of foreign 
banking entities, provided the trading decisions and principal risks of the foreign 
banking entity occur and are held outside of the United States. Such transactions 
may involve U.S. entities only under particular circumstances. The final rule also 
clarifies other exclusions and exempts certain other permitted activities. 

Covered Funds Prohibition 

The final rule prohibits banking entities from owning and sponsoring “hedge 
funds” and “private equity funds,” referred to in the final rule as “covered funds.” 
The final rule follows the statutory definition of covered funds and encompasses any 
issuer that would be an investment company under the Investment Company Act 
if it were not otherwise excluded by two provisions of that Act (section 3(c)(1) or 
3(c)(7)). The final rule also includes in the definition of covered funds other similar 
funds such as certain foreign funds and commodity pools, which are defined in a 
more limited manner than under the proposed rule. 

The final rule includes a number of exclusions from the definition of covered 
funds. These exclusions cover certain entities having more general corporate pur- 
poses (such as wholly owned subsidiaries or joint ventures), registered investment 
companies and business development companies regulated by the SEC and any 
issue of securities backed entirely by loans subject to certain asset restrictions.^ 

Consistent with the Dodd-Frank Act, the final rule designates certain activities 
as permissible. The final rule permits a banking entity, subject to appropriate condi- 
tions, to invest in or sponsor a covered fund in connection with organizing and offer- 


2 Accordingly , covered funds do not generally include securitizations such as residential mort- 
gage-backed securities (including GSE exposures), commercial mortgage-backed securities, auto 
securitizations, credit card securitizations, and commercial paper backed by conforming asset- 
backed commercial paper conduits. Certain other securitizations, such as collateralized loan obli- 
gations or collateralized debt obligations, will likely meet the definition of covered funds if they 
are unable to divest impermissible assets during the conformance period. 
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ing the covered fund, underwriting or market making-related activities, certain 
types of risk-mitigating hedging activities, activities that occur solely outside of the 
United States, and insurance company activities. 

The final rule places a number of limitations on permitted ownership interests in 
covered funds. In general, consistent with the statute, the final rule provides that 
a banking entity may not have any ownership in a covered fund unless it qualifies 
for an exemption such as organizing and offering the fund in accordance with re- 
quirements of the final rule or acting as a market maker for the fund. A banking 
entity that organizes and offers a covered fund must limit its total interest in each 
covered fund to no more than 3 percent of the ownership interests issued by the 
covered fund, and to no more than 3 percent of the value of the entire covered fund. 
However, if the covered fund is subject to risk retention requirements that must be 
satisfied by the banking entity, the final rule provides that the banking entity may 
retain additional ownership interests in the covered fund in order to satisfy any 
minimum risk retention requirement that may be established by the agencies by 
regulation. In addition, the aggregate of all interests the banking entity has in all 
covered funds may not exceed 3 percent of the banking entity’s tier 1 capital. Fi- 
nally, the banking entity must deduct the value of all of its interests in covered 
funds and any retained earnings from its capital for purposes of appl3dng the regu- 
latory capital standards. 

Certain other securitizations, such as collateralized loan obligations, will be ex- 
cluded from the definition of a covered fund if they are backed exclusively by loans. 
However, securitizations that currently include assets other than loans can be ex- 
cluded from the definition of covered funds if they divest impermissible assets dur- 
ing the conformance period. For securitizations that are covered funds, the condi- 
tions for a banking entity to be permitted an ownership interest in these types of 
securitizations are, with one exception described below, the same conditions that 
apply to any other covered fund — for instance, it organizes and offers the 
securitization or engages in underwriting or market making-related activities. 

Compliance Requirements 

In order to ensure compliance with the final rule, institutions engaged in covered 
practices will be required to have compliance programs in place commensurate with 
their size and level of activity. The agencies will monitor compliance through the 
compliance programs established by the institutions they regulate. To ensure con- 
sistent application of the final rule across all banking entities, the FDIC, FRB, OCC, 
SEC and CFTC have formed an interagency Volcker Rule Implementation Working 
Group (Working Group). The Working Group will address implementation issues on 
an ongoing basis and will provide the industry with additional guidance or clarity 
as necessary. The Working Group has begun meeting and will meet regularly to ad- 
dress reporting, guidance and interpretation issues to facilitate compliance with the 
rule. 

The final rule generally requires banking entities to establish an internal compli- 
ance program reasonably designed to ensure and monitor compliance with the final 
rule. In response to concerns raised by some commenters, the final rule provides 
compliance requirements that vary based on the size of the banking entity and the 
amount of covered activities it conducts. For example, banking entities that do not 
engage in activities covered by the final rule will have no compliance program re- 
quirements. 

Under the final rule, larger banking entities with $60 billion or more in total con- 
solidated assets must establish a more detailed compliance program as described in 
Appendix B of the final rule, including requirements that: 

• The banking entity adopt a written compliance program approved by the board 
of directors; 

• The board of directors and senior management are responsible for setting and 
communicating an appropriate culture of compliance and ensuring that appro- 
priate policies regarding the management of trading activities and covered fund 
activities or investments are adopted to comply with the requirements of the 
final rule; and 

• The chief executive officer of the banking entity must annually attest in writing 
to its primary Federal regulator that the banking entity has in place processes 
to establish, maintain, enforce, review, test, and modify the compliance program 
in a manner reasonably designed to achieve compliance with the final rule. 

Banking entities with total consolidated assets between $10 billion and $50 billion 
will be subject to the minimum compliance program requirements included in sec- 
tion 20(b) of the final rule. 
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Finally, the final rule requires banking entities with significant trading operations 
to report certain quantitative metrics related to trading activities, in accordance 
with section 20(d) and Appendix A of the final rule. These metrics are designed to 
monitor certain trading activities and. will be phased in over a period of time based 
on the type and size of the firm’s trading activities. 

Burden Reduction 

While the requirements of Section 619 apply to all banking entities regardless of 
size, the prohibited proprietary trading activities and investments in, and relation- 
ships with, hedge funds and private equity funds that are covered by the final rule 
are generally conducted by larger, more complex banking organizations. As a result, 
the final rule is designed to avoid placing needless requirements on banks that do 
not engage in these activities or have only limited exposure. 

The final rule focuses compliance requirements on those institutions that are 
more likely to engage in prohibited proprietary trading and covered fund activities. 
Under the final rule, a bank is exempt from all of the compliance program require- 
ments, and all of the associated costs, if it limits its covered activities to activities 
that are excluded from the definition of proprietary trading, such as trading in cer- 
tain Government, agency. State, and municipal obligations. In particular, the final 
rule provides that a banking entity is not required to implement a compliance pro- 
gram if it does not engage in activities or investments covered by the rule. This 
eliminates the compliance burden on banking entities that do not engage in covered 
activities or investments. 

A banking entity with total consolidated assets of $10 billion or less that engages 
in covered activities can meet the compliance requirements of the final rule simply 
by including in its existing compliance policies and procedures references to the re- 
quirements of section 13 of the Bank Holding Company Act and subpart D of the 
final rule as appropriate given the activities, size, scope and complexity of the bank- 
ing entity. This significantly reduces the compliance burden on smaller banking en- 
tities that engage in a limited amount of covered activities or investments. 

The final rule requires all other banking entities to establish a compliance pro- 
gram designed to ensure compliance with Section 619 and the requirements set 
forth in the final rule. Even for banking entities that must establish a compliance 
program, the final rule makes changes from the NPR to reduce the burden of the 
metrics reporting requirements. For example, the final rule raised the threshold for 
metrics reporting from $1 billion in trading assets and liabilities threshold originally 
proposed to $10 billion in trading assets and liabilities, thereby capturing only firms 
that engage in very significant trading activity. The final rule also reduced the num- 
ber of mandatory trading metrics required to be reported to the agencies from 
around 20 in the original proposal to 7 in the final rule. Additionally, the final rule 
provided for metrics reporting to be phased-in based on the size of the banking enti- 
ty’s trading assets and liabilities, with banks with more than $50 billion in trading 
assets and liabilities reporting first, following banks with more than $25 billion in 
trading assets and liabilities, and then banks with more than $10 billion in trading 
assets and liabilities. 

Treatment of TruPS CDOs 

Following the issuance of the final rule implementing section 619, a number of 
community banking organizations expressed concern that the final rule conflicts 
with the Congressional determination under section 171(b)(4)(C) of the Dodd-Frank 
Act to grandfather trust preferred securities (TruPS). On December 19 and Decem- 
ber 27, 2013, the banking agencies issued joint statements providing guidance to fi- 
nancial institutions regarding the potential impact of the final rule on the treatment 
of TruPS held in collateralized debt obligations (CDOs). These statements outlined 
some of the issues that must be resolved in order to determine whether ownership 
of an interest in a securitization vehicle that holds primarily TruPS would be sub- 
ject to the provisions of section 619 of the Dodd-Frank Act and the final imple- 
menting rules. ^ 

Following additional review, the agencies determined that it is appropriate and 
consistent with the provisions of the Dodd-Frank Act to exempt certain 
collateralized debt obligations backed primarily by trust preferred securities (TruPS 
CDOs) from the investment prohibitions of section 619 of the Act. Section 171 of the 
Dodd-Frank Act provides for the grandfathering of TruPS issued before May 19, 
2010, by certain depository institution holding companies with total assets of less 
than $15 billion as of December 31, 2009, and by mutual holding companies estab- 


3 http:! ! www.fdic.gov / news I news I press ! 2013 ! prl3123.html; http: ! / www.fdic.gov ! news 1 

news t press 1 2013 1 prl3126a.pdf. 
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lished as of May 19, 2010. The TruPS CDO structure was the vehicle that gave ef- 
fect to the use of TruPS as a regulatory capital instrument prior to May 19, 2010, 
and was part of the status quo that Congress preserved with the grandfathering 
provision of section 171. 

The interim final rule (IFR) adopted by the agencies on January 14, 2014 is con- 
sistent with the relief the agencies believe Congress intended to provide community 
hanking organizations under section 171(b)(4)(C) of the Dodd-Frank Act. Under the 
IFR, the agencies have exempted TruPS CDOs that meet specific criteria from the 
prohibition on the acquisition or retention of any interest in or sponsorship of cov- 
ered funds by banking entities. The Federal banking agencies also released a non- 
exclusive list of issuers that meet the requirements for the exemption.® The IFR is 
clear that banking organizations can rely solely on this list for compliance purposes. 
The agencies will accept public comment on the IFR for 30 days following its publi- 
cation in the Federal Register. 

Risk Retention 

On August 28, 2013, the FDIC Board approved an NPR issued jointly with five 
other Federal agencies to implement the credit risk retention requirement set forth 
in Section 941 of the Dodd-Frank Act, which seeks to ensure that securitization 
sponsors have appropriate incentives for prudent underwriting. The proposed rule 
generally requires that the sponsor of any asset-backed security (ABS) retain an 
economic interest equal to at least 5 percent of the aggregate credit risk of the col- 
lateral. This is the second proposal under Section 941; the first was issued in April 
2011 . 

The current NPR provides the sponsors of ABSs with various options for meeting 
the risk retention requirements. As required by the Dodd-Frank Act, the proposed 
rule defines a “qualified residential mortgage” (QRM), that is, a mortgage which is 
statutorily exempt from risk retention requirements. The NPR would align the defi- 
nition of QRM with the definition of “qualified mortgage” (QM) as prescribed by the 
Consumer Financial Protection Bureau (CFPB) in 2013. The NPR also includes a 
request for public comment on an alternative QRM definition that would add certain 
underwriting standards to the existing QM definition. Similar to the prior proposal, 
the current proposal sets forth criteria for securitizations of commercial real estate 
loans, commercial loans, and automobile loans that meet certain conservative credit 
quality standards to be exempt from risk retention requirements. 

The FDIC has received approximately 150 comments on the current NPR. A num- 
ber of comments relate to risk retention issues regarding open market collateralized 
loan obligations (CLOs).® The proposed rule considers an open market CLO manager 
to be a securitization sponsor and, therefore, the manager would generally be re- 
quired to retain 5 percent of the credit risk of CLO issuances. As an alternative, 
managers or sponsors could satisfy the risk retention requirement if the lead ar- 
rangers of the loans (typically the main lender) purchased by the open market CLO 
retained the required risk. Some commenters have argued that the lead arranger 
option is unworkable and that the proposal would significantly affect the formation 
and continued operation of CLOs, and that this could reduce the volume of commer- 
cial lending. The agencies are continuing to review comments and meet with inter- 
ested groups to discuss their concerns and will give full consideration to all issues 
raised before we issue the final rule. 

Examination Treatment of Qualified Mortgages 

Recognizing that many institutions are assessing how to implement the Ability- 
to-Repay and QM rules issued by the CFPB, the Federal financial regulators jointly 
issued interagency statements on their supervisory approach for residential mort- 
gage loans. The agencies emphasize that an institution may originate both QM and 
non-QM residential mortgage loans. A bank’s decision to offer only QM loans, absent 
other factors, should not elevate a supervised institution’s fair lending risk and is 
compatible with meeting Community Reinvestment Act obligations. The interagency 
statements emphasize that the agencies will not subject a residential mortgage loan 
to regulatory criticism — either from a safety and soundness or consumer protection 
perspective — based solely on the loan’s status as a QM or a non-QM. 


/ www.fdic.gov I news I news / press / 2014 / prl4003a.pdf 
^httpit / www.fdic.gov I news I news I press / 2014 1 prl4003b.pdf. 

® An open market CLO is defined as one (i) whose assets consist of senior, secured syndicated 
loans acquired directly from the sellers in open market transactions and of servicing assets, (ii) 
that is managed by a CLO manager, and (iii) that holds less than 50 percent of its assets, by 
aggregate outstanding principal amount, in loans syndicated by lead arrangers that are affili- 
ates of the CLO or originated by originators that are affiliates of the CLO. 
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Resolution of Systemically Important Financial Institutions 

Resolution Plans — “Living Wills” 

Under the framework of the Dodd-Frank Act, bankruptcy is the preferred option 
in the event of the failure of a SlFl. To make this objective achievable, Title 1 of 
the Dodd-Frank Act requires that all bank holding companies with total consoli- 
dated assets of $50 billion or more, and nonbank financial companies that the Fi- 
nancial Stability Oversight Council (FSOC) determines could pose a threat to the 
financial stability of the United States, prepare resolution plans, or “living wills,” 
to demonstrate how the company could be resolved in a rapid and orderly manner 
under the Bankruptcy Code in the event of the company’s financial distress or fail- 
ure. The living will process is an important new tool to enhance the resolvability 
of large financial institutions through the bankruptcy process. 

The 165(d) Rule, jointly issued by the FDIC and the Federal Reserve Board in 
2011, implemented the requirements for resolution plans and provided for staggered 
annual submission deadlines based on the size and complexity of the companies. 
Eleven of the largest, most complex institutions submitted initial plans in 2012 and 
revised plans in 2013. During 2013, the remaining 120 institutions submitted their 
initial resolution plans under the 165(d) rule. In addition, in 2013, the FSOC des- 
ignated three nonbank financial institutions for Federal Reserve Board supervision. 
These firms are expected to submit their initial resolution plans in 2014. 

2013 Guidance on Living Wills 

Following the review of the initial resolution plans submitted in 2012, the agen- 
cies developed Guidance for the firms to detail the information that should be in- 
cluded in their 2013 resolution plan submissions. The agencies identified an initial 
set of significant obstacles to rapid and orderly resolution which covered companies 
are expected to address in the plans, including the actions or steps the company has 
taken or proposes to take to remediate or otherwise mitigate each obstacle and a 
timeline for any proposed actions. These eleven institutions submitted their revised 
resolution plans in October 2013. 

As required by the statute, the resolution plans submitted in 2013 will be subject 
to informational completeness reviews and reviews for resolvability under the Bank- 
ruptcy Code. The agencies are reviewing how each resolution plan addresses a set 
of benchmarks outlined in the Guidance which represent the key impediments to 
an orderly resolution. The benchmarks are as follows: 

• Multiple Competing Insolvencies: Multiple jurisdictions, with the possibility of 
different insolvency frameworks, raise the risk of discontinuity of critical oper- 
ations and uncertain outcomes. 

• Global Cooperation: The risk that lack of cooperation could lead to ring-fencing 
of assets or other outcomes that could exacerbate financial instability in the 
United States and/or loss of franchise value, as well as uncertainty in the mar- 
kets. 

• Operations and Interconnectedness. The risk that services provided by an affil- 
iate or third party might be interrupted, or access to pa3unent and clearing ca- 
pabilities might be lost; 

• Counterparty Actions. The risk that counterparty actions may create oper- 
ational challenges for the company, leading to systemic market disruption or fi- 
nancial instabinty in the United States; and 

• Funding and Liquidity. The risk of insufficient liquidity to maintain critical op- 
erations arising from increased margin requirements, acceleration, termination, 
inability to roll over short-term borrowings, default interest rate obligations, 
loss of access to alternative sources of credit, and/or additional expenses of re- 
structuring. 

The FDIC and the Federal Reserve are charged with reviewing the 165(d) plans 
and may jointly find that a plan is not credible or would not facilitate an orderly 
resolution under the Bankruptcy Code. If a plan is found to be deficient in either 
case, the FDIC and the Federal Reserve must notify the filer of the areas in which 
the plan is deficient. The filer must resubmit a revised plan that addresses the defi- 
ciencies within 90 days (or other specified timeframe). The FDIC and the Federal 
Reserve currently are in the process of reviewing the plans under the standards pro- 
vided in the statute. 

Orderly Liquidation Authority 

In cases where resolution under the Bankruptcy Code may result in serious ad- 
verse effects on financial stability in the United States, the Orderly Liquidation Au- 
thority set out in Title II of the Dodd-Frank Act serves as the last resort alternative. 
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Upon recommendations by a two-thirds vote of the Federal Reserve Board and the 
FDIC Board and a determination by the Treasury Secretary in consultation with the 
President, a financial company whose failure is deemed to pose a risk to the finan- 
cial system may be placed into an FDIC receivership. Under the Act, key findings 
and recommendations must be made before the Orderly Liquidation Authority can 
be considered as an option. These include a determination that the financial com- 
pany is in default or danger of default, that failure of the financial company and 
its resolution under applicable Federal or State law, including bankruptcy, would 
have serious adverse effects on financial stability in the United States and that no 
viable private sector alternative is available to prevent the default of the financial 
company. 

In my July 11, 2013 testimony before this Committee, I described how the FDIC 
is developing a strategic approach, referred to as Single Point-of-Entry (SPOE), to 
carry out its Orderly Liquidation Authority for resolving a SIFI. Under the SPOE 
strategy, the FDIC would be appointed receiver of the top-tier parent holding com- 
pany of the financial group following the company’s failure and the completion of 
the recommendation, determination, and expedited judicial review process set forth 
in Title II of the Act. The FDIC would organize a bridge financial company into 
which assets from the receivership estate, including the failed holding company’s in- 
vestments in, and loans to subsidiaries, would be transferred. 

The FDIC would oversee operations of the bridge financial company and would 
retain control over certain high-level key matters of the bridge financial company’s 
governance. Shareholders would be wiped out, unsecured debt holders would have 
their claims written down to reflect any losses that shareholders cannot cover, and 
culpable senior management would be replaced. The FDIC would appoint a board 
of directors and nominate a new chief executive officer and other key managers to 
operate the bridge financial company under the FDIC’s oversight. The plan for re- 
structuring the company could include changing business, shrinking businesses, 
breaking the company into smaller entities, and liquidating certain assets or closing 
certain operations. The FDIC also would likely require the restructuring of the firm 
into one or more smaller nonsystemic firms that could be resolved under bank- 
ruptcy. 

During the operation of the bridge financial company, the healthy subsidiaries of 
the company would remain open, allowing them to continue business. In this man- 
ner the resolution strategy would protect against contagion in the financial system 
by maintaining vital linkages among critical operating subsidiaries, ensuring con- 
tinuity of services, and avoiding the disruption that would likely accompany failure. 
At the same time, the strategy would protect against moral hazard by holding ac- 
countable the failed company’s owners and management responsible for its failure. 

On December 10, 2013, the FDIC Board approved publication of a Federal Reg- 
ister notice'^ which provides greater detail on the SPOE strategy and discusses the 
key issues that will be faced in the resolution of a SIFI. The notice seeks public com- 
ment and views as to how the policy objectives set forth in the Dodd-Frank Act 
could better be achieved. 

In addition, the Federal Reserve, in consultation with the FDIC, is considering the 
merits of a regulatory requirement that the largest, most complex U.S. banking 
firms maintain a minimum amount of unsecured debt at the holding company level. 
Such a requirement would ensure that there are creditors at the holding company 
level to absorb losses at the failed firm. 

Cross-border Issues 

Advance planning and cross-border coordination for the resolution of globally ac- 
tive SIFIs will be essential to minimizing disruptions to global financial markets. 
Recognizing that global SIFIs create complex international legal and operational 
concerns, the FDiC continues to reach out to foreign regulators to establish frame- 
works for effective cross-border cooperation. 

As part of our bilateral efforts, the FDIC and the Bank of England, in conjunction 
with the prudential regulators in our respective jurisdictions, have been developing 
contingency plans for the failure of a global SIFI that has operations in the United 
States and the United Kingdom of the 28 G-SIFIs designated by the Financial Sta- 
bility Board (FSB) of the G-20 countries, four are headquartered in the United 
Kingdom, and another eight are headquartered in the United States. Moreover, ap- 
proximately 70 percent of the reported foreign activities of the eight U.S. G-SIFIs 
emanates from the United Kingdom. The magnitude of these financial relationships 
makes the U.S.-U.K. bilateral relationship by far the most significant with regard 


"^PDIC, Resolution of Systemically Important Financial Institutions: The Single Point of Entry 
Strategy, 78 Fed. Reg. 76,614 (Dec. 18, 2013). 
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to the resolution of Gr-SIFIs. Because of the magnitude of these institutions’ oper- 
ations, our two countries have a strong mutual interest in ensuring that the failure 
of such an institution could be resolved at no cost to teixpayers and without placing 
the financial system at risk. 

The FDIC and U.K. authorities released a joint paper on resolution strategies in 
December 2012, reflecting the close working relationship between the two authori- 
ties. This joint paper focuses on the application of “top-down” resolution strategies 
for a U.S. or a U.K. financial group in a cross-border context and addresses several 
common considerations to these resolution strategies. In December 2013, the FDIC 
and the Bank of England, including the Prudential Regulation Authority, in con- 
junction with the Federal Reserve Board and the Federal Reserve Bank of New 
York, held a staff-level tabletop exercise exploring cross-border issues and potential 
mitigating actions that could be taken by regulators in the event of a resolution. 

The FDIC also is coordinating with representatives from European authorities to 
discuss issues of mutual interest, including the resolution of European global SIFIs 
and ways in which we can harmonize receivership actions. The FDIC and the Euro- 
pean Commission (E.C.) have established a joint Working Group composed of senior 
executives from the FDIC and the E.C. to focus on both resolution and deposit in- 
surance issues. The agreement establishing the Working Group provides for meet- 
ings twice a year with other interim interchanges and the exchange of detailees. In 
2013, the Working Group convened formally twice, and there has been ongoing col- 
laboration at the staff level. The FDIC and the E.C. have had in-depth discussions 
regarding the FDIC’s experience with resolution as well as the SPOE strategy that 
we are developing. We also have discussed the E.C.’s proposed EU-wide Credit Insti- 
tution and Investment Firm Recovery and Resolution Directive, the E.C.’s proposed 
amendment to harmonize further deposit guarantee schemes EU-wide, and the 
E.C.’s proposal for a Single Resolution Mechanism that would apply to Euro-area 
Member States, as well as any others that would opt-in. The FDIC and the E.C. 
also have exchanged staff members for short periods to enhance staff experience 
with respective resolution authorities. In 2014, at the request of the E.C., the FDIC 
is planning to conduct a training seminar on resolutions for E.C. staff. 

The FDIC continues to foster its relationships with other jurisdictions that regu- 
late global SIFIs, including Switzerland, Germany, and Japan. In 2013, the FDIC 
had significant principal and staff-level engagements with these countries to discuss 
cross-border issues and potential impediments that would affect the resolution of a 
global SIFI. We will continue this work in 2014 with plans to host tabletop exercises 
with staff from these authorities. We also have discussed developing joint resolution 
strategy papers, similar to the one with the United Kingdom, as well as possible 
exchanges of detailees. 

In a significant demonstration of cross-border cooperation on resolution issues, the 
FDIC signed a November 2013 joint letter with the Bank of England, the Swiss Fi- 
nancial Market Supervisory Authority and the German Federal Financial Super- 
visory Authority, to the International Swaps and Derivatives Association, Inc. 
(ISDA). This letter encouraged ISDA to develop provisions in derivatives contracts 
that would provide for short-term suspension of early termination rights and other 
remedies in the event of a G-SIFI resolution. The adoption of such changes would 
allow derivatives contracts to remain in effect throughout the resolution process fol- 
lowing the implementation of a number of potential resolution strategies. 

We anticipate continuation of our international coordination and outreach and 
will continue to work to resolve impediments to an orderly resolution of a global 
SIFI. 

Capital and Liquidity Requirements 

Interagency Rulemakings on Basel III and the Supplementary Leverage Ratio 

In July 2013, the FDIC Board acted on two important regulatory capital 
rulemakings. First, the FDIC joined the Federal Reserve, and the OCC in issuing 
rulemakings that significantly revise and strengthen risk-based capital regulations 
through implementation of the Basel III international accord (“Basel III rule- 
making”). Second, these agencies also issued an NPR that would strengthen lever- 
age capital requirements for the eight largest U.S. bank holding companies (BHCs) 
and their insured banks. 

The Basel III rulemaking substantially strengthens both the quality and the 
quantity of risk-based capital for all banks in the U.S. by placing greater emphasis 
on tier 1 common equity capital. Tier 1 common equity capital is widely recognized 
as the most loss-absorbing form of capital, and the Basel III changes are expected 
to result in a stronger, more resilient industry better able to withstand periods of 
economic stress in the future. 
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The Basel III rulemaking also includes a new supplementary leverage ratio re- 
quirement, an issue agreed in the Basel III international accord. This represents an 
important enhancement to the international capital framework. Prior to this rule, 
there was no international leverage ratio requirement. For the first time, the Basel 
III accord included an international minimum leverage ratio, and consistent with 
the agreement, the Basel III rulemaking includes a 3-percent minimum supple- 
mentary leverage ratio that applies only to the 17 large banking organizations sub- 
ject to the advanced approaches rule. 

As noted above, the NPR would strenrthen the supplementary leverage require- 
ments encompassed in the Basel III rulemaking for the eight largest BHCs and 
their insured banks. The NPR would require covered insured depository institutions 
(IDIs) to satisfy a 6-percent supplementary leverage ratio to be considered well cap- 
italized for prompt corrective action (PCA) purposes. BHCs covered by the NPR 
would need to maintain a supplementary leverage ratio of at least 5 percent (a 3 
percent minimum plus a 2-percent buffer) to avoid restrictions on capital distribu- 
tions and executive compensation. 

As the NPR points out, maintaining a strong capital base at the largest, most sys- 
temically important institutions is particularly important because capital shortfalls 
at these institutions can contribute to systemic distress and have material adverse 
economic effects. The agencies’ analysis suggests that a 3-percent minimum supple- 
mentary leverage ratio contained in the Basel III accord would not have appreciably 
mitigated the growth in leverage among systemically important institutions in the 
years preceding the recent crisis. The FDIC views this as problematic because one 
of the most important objectives of the capital reforms was to address the buildup 
of excessive leverage. 

While the Basel III rulemaking raises risk-based capital requirements signifi- 
cantly, the minimum supplementary leverage ratio provided in Basel III does not 
raise leverage capital comparably. From a safety and soundness perspective, lever- 
age capital requirements and risk-based capital requirements are complementary. 
Each offsets the potential weaknesses of the other, and the two working together — 
as they have in the U.S. for over 20 years — are more effective than either by itself. 
For example, risk-weighted asset calculations are subject to modeling error, subjec- 
tivity, and other uncertainties. These weaknesses can be offset by a more robust le- 
verage ratio. On the other hand, risk-based capital measures are useful because 
they may better capture the risk posed by different kinds of assets. The NPR is in- 
tended to increase leverage capital to maintain rough comparability with the in- 
crease in risk-based capital required under Basel III. 

Higher capital requirements would help offset systemic risk and would also put 
additional private capital at risk before the Deposit Insurance Fund (DIF) and the 
Federal Government’s resolution mechanisms would be called upon. This proposed 
rulemaking is one of the most important steps the banking agencies could take to 
strengthen the safety and soundness of the U.S. banking and financial systems. 

Rule on the Liquidity Coverage Ratio and the Net Stable Funding Ratio Proposal 

A number of large financial institutions experienced significant liquidity problems 
during the financial crisis that exacerbated stress on the banking system, and more 
broadly, compromised financial stability. In response, the U.S. banking agencies 
have made a concerted effort, both domestically and internationally, to strengthen 
liquidity and short-term funding requirements for the largest U.S. banking organi- 
zations. 

In October 2013, the FDIC, together with the OCC and the Federal Reserve, 
issued an interagency proposed rule to implement a quantitative liquidity require- 
ment consistent with the Liquidity Coverage Ratio (LCR) developed by the Basel 
Committee on Banking Supervision on which the U.S. banking agencies serve as 
members. The LCR rule would apply to large, internationally active banking organi- 
zations and their consolidated subsidiary depository institutions with $10 billion or 
more in total consolidated assets and is an important step in helping to bolster the 
resilience of these organizations during periods of financial stress. The proposal re- 
quires banks to hold a minimum level of liquid assets to withstand contingent li- 
quidity events and provides a standard way of expressing a bank’s on-balance sheet 
liquidity position to stakeholders and supervisors. The proposal establishes a transi- 
tion schedule under which covered companies must fully meet the minimum LCR 
by January 1, 2017, 2 years earlier than the Basel deadline. The comment period 
on this proposal closed on January 31, 2014. 

In January 2014, the Basel Committee issued a related proposal to establish a 
Net Stable Funding Ratio (NSFR). The NSFR proposal complements the LCR by 
promoting stable funding profiles over the longer term by limiting over-reliance on 
short-term wholesale funding, improving the assessment of funding risk for on- and 



53 


off-balance sheet items, and encouraging stable sources of funding. To meet the pro- 
posed NSFR requirement, the largest U.S. banks would have to maintain a min- 
imum level of stable funding given the liquidity characteristics of their assets and 
off-balance sheet exposures. The FDIC strongly supports the Basel Committee’s 
NSFR proposal, and we anticipate that the U.S. banking agencies will develop a 
similar domestic rule once the Basel Committee’s consultation period ends in April 
of this year. 

Data Integrity 

Recent highly publicized data breaches have highlighted payment card data integ- 
rity issues at merchants. Compromised payment card data can affect millions of con- 
sumers and thousands of issuing banks globally. Consequently, payment card data 
integrity has been, and remains, a concern of the Federal banking regulators. Al- 
though the Federal banking agencies do not have the authority to regulate the pay- 
ment card operations of retail merchants, such as those subject to the recent 
breaches in the news, the FDIC and the other Federal banking regulators are able 
to examine merchant acceptance and payment card issuing operations that occur 
under the direct control of a bank. 

The FDIC treats data security as a significant risk area due to its potential to 
disrupt bank operations, harm consumers, and undermine confidence in the banking 
system and economy. The failure or misuse of technology can impact the safety and 
soundness of an institution with sudden and severe losses, directly harm consumers, 
or both. 

In its role as supervisor of insured institutions, the FDIC analyzes emerging cyber 
threats, occurrences of bank security breaches, and other incidents. The FDIC mon- 
itors security issues in the banking industry on a regular basis through onsite ex- 
aminations and regulatory reports. The FDiC, through its membership in the Finan- 
cial and Banking Information Infrastructure Committee (FBIIC), works with groups 
such as the Financial Services Sector Coordinating Council (FSSCC), other regu- 
latory agencies, law enforcement and others to share information regarding emerg- 
ing issues and coordinate our responses. 

Additionally, the Federal Financial Institutions Examination Council formed a 
Cybersecurity and Critical Infrastructure Working Group in June 2013. This work- 
ing group will serve as a liaison with the intelligence community, law enforcement 
and homeland security agencies on cybersecurity and critical infrastructure protec- 
tion-related issues. It also will conduct programs to create cyber risk awareness and 
consider additional industry guidance on specific threats. Finally, the group is pur- 
suing an agenda for the member agencies to collaborate on cybersecurity and critical 
infrastructure issues related to examination policy, training, information sharing 
and incident communication and coordination. 

The FDIC has issued guidance to financial institutions with respect to keeping 
data secure, protecting customers, and responding to breaches of data security. In 
2001, the Federal banking agencies issued Interagency Guidelines Establishing In- 
formation Security Standards, as required by Section 501(b) of the Gramm-Leach- 
Bliley Act, requiring every financial institution to have an information security pro- 
gram, approved by the institution’s board of directors, to protect customer informa- 
tion. 

The FDIC’s most direct role in ensuring cyber security within the financial sector 
is through its onsite examination programs. The FDIC regularly and routinely eval- 
uates all of its regulated financial institutions’ information security programs 
through our information technology (IT) examinations. The Federal banking agen- 
cies also conduct IT examinations of major technology service providers that provide 
services to financial institutions. These examinations are designed, in part, to en- 
sure that financial institutions protect both bank and customer information. De- 
pending on the findings from our examinations, informal or formal enforcement ac- 
tion may be pursued to achieve corrective actions. 

The Federal Financial Institutions Examination Council (FFIEC), which includes 
the FDIC, publishes a series of Information Technology Examination Handbooks. 
Banks and their service providers are examined by their appropriate Federal bank- 
ing agency using the standards in the FFIEC books, which includes an assessment 
of their information security and protection of customer information, among other 
things. The handbooks address objectives, standards, resources, roles and respon- 
sibilities, best practices, and examination procedures. These handbooks are avail- 
able to examiners, bankers, and the public. 

With respect to retail payments in particular, the Federal banking agencies’ su- 
pervisory programs assess acquiring banks to ensure that appropriate payment op- 
erations risk mitigation efforts are in place. Included as part of the FFIEC IT Exam- 
ination Handbook are two booklets, “Retail Payment Systems” and “Wholesale Pay- 
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ment Systems,” to address regulatory expectations for risk management of these 
systems. 

The Federal banking agencies issued guidance in March 2005 for financial institu- 
tions to develop and implement a Response Program designed to address incidents 
of unauthorized access to sensitive customer information. 

Recognizing that addressing cyber risks can be especially challenging for commu- 
nity banks, the FDIC is taking steps to assist them with planning and training. At 
the November 19, 2013 meeting of its Advisory Committee on Community Banking, 
we shared with members, an exercise that institutions can use to initiate discus- 
sions about operational risk and the potential impact of IT disruptions on common 
banking functions. This exercise, named “Cyber Challenge,” provides financial insti- 
tutions with four exercise scenarios via short videos. Each video represents a stand- 
alone scenario so users may choose to consider any number of the scenarios in any 
order they desire. Each video has associated challenge questions that have been de- 
veloped to promote discussion on topics relevant to the specific scenarios and to as- 
sist institutions in the development of proper responses. Additionally, financial in- 
stitutions may discuss how they would react to the scenario, how they would handle 
the situation in their respective institution, and what controls their institution has 
in place to prevent the situation. Cyber Challenge will be distributed to all FDIC- 
supervised institutions in the near future. 

Conclusion 

Thank you for the opportunity to share with the Committee the work that the 
EDIC has been doing to implement the Dodd-Erank Act and address systemic risk 
in the aftermath of the financial crisis. I would be glad to respond to your questions. 

Status of FDIC Dodd-Frank Act Rulemakings 
Completed FDIC-only Rulemakings 

FDIC has met all applicable deadlines in issuing those required regulations in the 
Dodd-Frank Wall Street Reform and Consumer Protection Act for which it is solely 
responsible. These include: 

• Orderly Liquidation Authority (OLA) Regulations 

• Inflation adjustment for wage claims against financial company in receiver- 
ship; 

• Executive compensation clawbacks and definition of compensation; and 

• Definition of ‘predominantly engaged in activities financial in nature’ for title 
II purposes. 

• Deposit Insurance Fund Management Regulations 

• Regulations establishing an asset-based assessment base; 

• Regulations implementing permanent $250,000 coverage; 

• Elimination of pro-cyclical assessments; dividend regulations; 

• Restoration plan to increase the minimum reserve ratio from 1.15 to 1.35 per- 
cent by Sept. 30, 2020; and 

• Regulations implementing temporary full Deposit Insurance coverage for non- 
interest bearing transaction accounts (Program expired 12/31/12). 

The EDIC has also issued several optional rules, including the following OLA 
rules: 

• Rules governing payment of post-insolvency interest to creditors; 

• Rules establishing the proper measure of actual, direct, compensatory damages 

caused by repudiation of contingent claims; 

• Rules governing the priority of creditors and the treatment of secured creditors; 

• Rules governing the administrative claims process; 

• Rules governing the treatment of mutual insurance holding companies; and 

• Rules providing for enforcement of contracts of subsidiaries or affiliates of a cov- 
ered financial company. 

Completed Interagency Rules: 

FDIC and its fellow agencies have issued a number of joint or interagency regula- 
tions. These include: 

• Title I resolution plan requirements; 

• Regulations implementing self-administered stress tests for financial companies; 
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• Minimum leverage capital requirements for IDIs (Collins § 171(b)(1)); 

• Minimum risk-based capital requirements (Collins § 171(b)(2)); 

• Capital requirements for activities that pose risks to the financial system (Col- 
lins § 171(b)(7)) (as of July 9, 2013); 

• Rules providing for calculation of the “maximum obligation limitation”; 

• Regulations on foreign currency futures; 

• Removing regulatory references to credit ratings; 

• Property appraisal requirements for higher cost mortgages; 

• Appraisals for higher priced mortgages supplemental rule; 

• Appraisal independence requirements; 

• Volcker Rule Prohibition on Proprietary Trading and Investments in Covered 
Funds; and 

• Interim final rule authorizing Retention of Interests in CDOs backed by Bank- 
Issued Trust Preferred Securities 

Rulemakings in process — FDIC-only: 

A few regulations without statutory deadlines remain in process. These include: 

• OLA regulations implementing post-appointment requirements and establishing 
eligibility requirements for asset purchasers; and 

• Integration and Streamlining of adopted OTS regulations. 

Interagency Rulemakings in process: 

• Additional OLA Rules: 

• Orderly liquidation of covered brokers and dealers; 

• Regulations regarding treatment of officers and directors of companies re- 
solved under Title II; and 

• QFC recordkeeping rules; 

• Regulations implementing the credit exposure reporting requirement for large 
BHCs and nonbank financial companies supervised by the FRB; 

• Regulations implementing the “source of strength” requirement for BHCs, 
S&LHCs, and other companies that control IDIs; 

• Capital and margin requirements for derivatives that are not cleared OTC; 

• Regulations governing credit risk retention in asset-backed securitizations, in- 
cluding ABS backed by residential mortgages; 

• Regulations governing enhanced compensation structure reporting and prohib- 
iting inappropriate incentive-based payment arrangements; 

• Rulemaking prohibiting retaliation against an IDI or other covered person that 
institutes an appeal of conflicting supervisory determinations by the CFPB and 
the appropriate prudential regulator; and 

• Additional appraisals and related regulations: 

• Minimum requirements for registration of appraisal management companies 
and for the reporting of the activities of appraisal management companies to 
Appraisal Subcommittee; 

• Regulations to implement quality controls standards for automated valuation 
models; and 

• Regulations providing for appropriate appraisal review. 

Other DFA Regulations and Guidance: 

• OMWI — Proposed Standards for Assessing Diversity in Regulated Entities; 

• Stress Testing Guidance, including: 

• Economic Scenarios for 2014 Stress Testing; 

• Policy Statement on the Principles for Development and Distribution of An- 
nual Stress Test Scenarios (FDIC-supervised institutions); and 

• Proposed Interagency Supervisory Guidance on Implementing Dodd-Frank 
Act Company-Run Stress Tests for Banking Organizations With Total Con- 
solidated Assets of More Than $10 Billion But Less Than $50 Billion; and 
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• Interagency Statement on Supervisory Approach for Qualified and Non-Quali- 
fied Mortgage Loans 


PREPARED STATEMENT OF THOMAS J. CURRY* 

Comptroller of the Currency 
Office of the Comptroller of the Currency 
February 6, 2014 

Chairman Johnson, Ranking Member Crapo, and Members of the Committee, 
thank you for the opportunity to appear before you today. As the national economy 
continues to improve, so do the balance sheets of the financial institutions that the 
Office of the Comptroller of the Currency (OCC) supervises. The industry’s improved 
strength is reflected in stronger capital, improved liquidity, and timely recognition 
and resolution of problem loans. We are mindful, however, of the lessons of the fi- 
nancial crisis, and we have learned from that experience. We have taken a close 
look at how we supervise national banks and Federal savings associations (collec- 
tively, banks) and have devoted considerable time and resources to improving the 
way we do our job. 

With this in mind, I will begin my testimony today by describing the independent 
peer review study, which was undertaken at my direction, to assess the effective- 
ness of OCC’s supervision of large and midsize banks. I will also discuss the OCC’s 
recently proposed heightened expectations guidelines, designed to strengthen the 
risk management and governance practices of our large banks. We are setting a 
high bar for the institutions we supervise, and, as our international peer review 
project demonstrates, we are asking no less of ourselves. 

In addition, as the Committee requested, I will discuss the OCC’s expectations of 
the banks that we supervise with regard to their ability to defend both their sys- 
tems and their customers’ confidential information from cyber threats, as well as 
our role in supervising the retail payment system activities of banks. While banks 
are highly regulated, the financial services industry is an attractive target for cyber 
attacks, and therefore, we recognize the need to ensure that banks are doing every- 
thing necessary to protect themselves and their customers’ information. To ensure 
we stay on top of the evolving threats to the financial services industry, the OCC 
is committed to refining our supervisory processes on an ongoing basis and to par- 
ticipating in public-private partnerships to help keep abreast of and respond to 
emerging threats. 

Finally, my testimony will address our ongoing efforts to implement the Dodd- 
Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act or Act) 
and to strengthen bank capital. Specifically, I will discuss the newly finalized risk- 
based capital rules, as well as the proposed liquidity rules and enhanced leverage 
capital ratio requirement. I also will provide an overview of the finalized “Volcker” 
rules and our progress in implementing specific provisions of Title VII of the Act. 
I will conclude with a summary of other rulemaking projects required by the Act 
on which we have made substantial progress, including the appraisal and credit risk 
retention rules. 

I. Improving Financial Stability through Enhanced Prudential Regulation 
and Supervision 

A. International Peer Review Study 

Throughout our 150-year history, effective supervision of national banks has been 
the core mission of the OCC. While the scope of that mission has expanded to in- 
clude Federal savings associations, our focus on quality supervision has not 
changed. 

To do our job effectively, we must maintain controls and a review program that 
is every bit as rigorous as what we expect of our banks. This proposition underlies 
the OCC’s new Enterprise Governance unit, which will conduct independent reviews 
of each OCC business line. These reviews will enhance existing processes, including 
quality assurance programs that each business line maintains. 

The financial crisis showed how important supervision is to the soundness of the 
banking system, and I feel strongly that we need to do everything possible to ensure 
the effectiveness of OCC supervision. Last year, I brought together a team of senior 
international regulators to provide an independent and unvarnished assessment of 


* Statement Required by 12 U.S.C. § 250: 

The views expressed herein are those of the Office of the Comptroller of the Currency and 
do not necessarily represent the views of the President. 
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the OCC’s supervision program for large and midsize banks. Even the very best or- 
ganizations have room to improve, and in fact, one of the hallmarks of a healthy 
culture is an organization’s willingness to engage in a process of continual improve- 
ment. This is something the OCC has done throughout its 150 years. However, in 
the wake of the financial crisis, I believed it was particularly important to establish 
a process to assess our strengths and weaknesses and evaluate where we could do 
better. 

The peer review team was comprised of veteran bank regulators from countries 
whose financial systems proved to be particularly resilient during the financial cri- 
sis. It was chaired by Jonathan Fiechter, a former OCC Senior Deputy Comptroller 
who, until recently, served as a senior official with the International Monetary 
Fund, where he headed the Monetary and Capital Markets Department’s financial 
supervision and crisis management group. 

In December 2013, I received and released to the public the peer review team’s 
report.^ Its recommendations cover six key areas: mission, vision, and strategic 
goals; identification of risk; ratings systems; staffing; scope and consistency of the 
OCC’s supervisory strategies; and our enterprise governance function. I am gratified 
that the report highlighted a number of areas in which the OCC has been very suc- 
cessful. As the chair of the peer review team noted in his transmittal letter to me, 
“The OCC is fortunate to have such a highly motivated, experienced, and profes- 
sional staff dedicated to carrying out the work of the OCC.” The report praised the 
lead expert program ^ in our Midsize Bank Supervision business line, as well as the 
work of our National Risk Committee.^ The peer review team also noted that our 
supervisory staff demonstrated a strong commitment to rigorous supervision of the 
institutions we regulate and pride in the OCC as a supervisory agency. Further, the 
team validated a number of initiatives that we had already begun, including eight 
strategic initiatives to address challenges and opportunities facing the agency. 
These strategic initiatives focus on retention and recruitment, bank and thrift su- 
pervision, leadership, agency funding, technology, internal and external communica- 
tion, and an enterprise-wide self-assessment process focused on continuous improve- 
ment. 

While the peer review team found much to praise, its report also highlighted 
areas in which its members believe the OCC could improve. For example, the report 
addresses the OCC’s resident examination program and the relationship between 
the OCC’s Risk Assessment System and the interagency CAMELS rating system. 
After receiving the report, I set up senior-level working groups to evaluate and 
prioritize the recommendations and develop specific implementation plans for areas 
where the groups conclude that there are opportunities for improvement. I am com- 
mitted to a full review of the issues and recommendations identified in the report 
and to continuous improvement in the way the OCC does business. 

B. Heightened Expectations 

Because of their size, activities, and implications for the U.S. financial system, 
large banks require more rigorous regulation and supervision. To support this objec- 
tive, the OCC recently issued a proposal that would provide additional supervisory 
tools to examiners aimed at strengthening risk management practices and govern- 
ance of large banks. This proposal codifies and builds on a set of supervisory 


^See OCC News Release 2013—184 for a copy of the report, available at: http: I! wwiv.occ.gov ! 
news-issuances / news-releases / 2013 / nr-occ-2013-184.html. 

2 The lead expert program assigns an expert to each key risk area. These experts, who are 
independent from exam staff, review and opine on our annual supervisory strategy and super- 
visory communications for each large and midsize bank we supervise. This program ensures that 
the OCC consistently handles issues across the agency’s portfolio. 

^The OCC’s National Risk Committee (NRC) monitors the condition of the Federal banking 
system, as well as emerging threats to the system’s safety and soundness. The NRC also mon- 
itors evolving business practices and financial market issues and helps to shape supervisory ef- 
forts to address emerging risk issues. NRC members include senior agency officials who super- 
vise banks of all sizes, as well as officials from the legal, policy, and economics departments. 
The NRC helps to formulate the OCC’s annual bank supervision operating plan that guides our 
supervisory strategies for the coming year. The NRC also publishes the Semiannual Risk Per- 
spective report to provide information to the industry and the general public on issues that may 
pose threats to the safety and soundness of OCC-regulated financial institutions. 

"^The OCC’s risk assessment system provides a framework that OCC examiners use to meas- 
ure, document, and communicate the OCC’s conclusions about the quantity of risk, quality of 
risk management, and direction of risk for eight risk categories. The interagency CAMELS rat- 
ing system integrates six component areas: capital adequacy, asset quality, management, earn- 
ings, liquidity, and sensitivity to market risk. Evaluations of these component areas take into 
consideration an institution’s size and sophistication, the nature and complexity of its activities, 
and its risk profile. 
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“heightened expectations” that embody critical lessons learned from the financial 
crisis. 

The financial crisis taught us the importance of comprehensive and effective risk 
management; the need for an engaged board of directors that exercises independent 
judgment; the need for a robust audit function; the importance of talent develop- 
ment, recruitment, and succession planning; and a compensation structure that will 
not incentivize inappropriate risk taking. In 2010, we began communicating our 
heightened expectations to the banks through discussions at board meetings and in 
writing. We continued to refine and reinforce these heightened expectations through 
our ongoing supervisory activities and frequent communication with bank manage- 
ment and boards of directors. We spent time educating our examiners and bankers 
to clarify our expectations and specifically noted our requirement for a frank assess- 
ment of the gaps between existing and desired practices. The OCC also began to 
examine each large institution for compliance with the expectations and has in- 
cluded in each bank’s Report of Examination an overall rating of how the bank 
meets these heightened expectations. 

Our recent proposal builds upon and formalizes the heightened expectations pro- 
gram in the form of enforceable guidelines that would generally apply to insured 
national banks, insured Federal savings associations, and insured Federal branches 
of foreign banks with average total consolidated assets of $50 billion or more. 

The proposed guidelines set forth minimum standards for the design and imple- 
mentation of a bank’s risk governance framework and provide minimum standards 
for the board’s oversight of the framework. The bank’s risk governance framework 
should address all risks to a bank’s earnings, capital and liquidity, and reputation 
that arise from the bank’s activities. The proposal also sets out roles and respon- 
sibilities for the organizational units that are fundamental to the design and imple- 
mentation of the framework. These units, often referred to as a bank’s three lines 
of defense, are front line business units, independent risk management, and internal 
audit. Together, these units should establish an appropriate system to control risk 
taking. Underlying the framework is a risk appetite statement that articulates the 
aggregate level and types of risk a bank is willing to assume in order to achieve 
its strategic objectives, consistent with applicable capital, liquidity, and other regu- 
latory requirements. 

The proposed guidelines also contain standards for boards of directors regarding 
oversight of the design and implementation of a bank’s risk governance framework. 
It is vitally important that each director be engaged in order to understand the risks 
being taken by his or her institution and to ensure that those risks are well man- 
aged. Informed directors who exercise independent judgment can better question the 
propriety of strategic initiatives and assess the balance between risk taking and re- 
ward. An effective board also should actively oversee management. Directors should 
be in a position to present a credible challenge to bank management while fulfilling 
their duty to preserve the sanctity of the national bank or Federal savings associa- 
tion charter. By sanctity of the charter, I mean that directors must ensure that the 
institution operates in a safe and sound manner. The national bank or Federal 
thrift should not simply function as a booking entity for the holding company. It is 
a special corporate franchise that is the gateway to Federal deposit insurance and 
access to the discount window. 

The guidelines are proposed as a new appendix to Part 30 of our regulations. Part 
30 codifies an enforcement process set out in a statutory provision that authorizes 
the OCC to prescribe operational and managerial standards. If a bank fails to sat- 
isfy a standard, the OCC may require it to submit a compliance plan detailing how 
it will correct the deficiencies and how long that will take. The OCC can issue an 
enforceable order if the bank fails to submit an acceptable compliance plan or fails 
in any material way to implement an OCC-approved plan. 

Higher supervisory standards for the large banks we oversee, such as those in the 
proposed guidelines, along with bank management’s implementation of these stand- 
ards, are consistent with the Dodd-Frank Act’s broad objective of strengthening the 
financial system. We believe that this increased focus on strong risk management 
and corporate governance will help banks maintain the balance sheet improvements 
achieved since the financial crisis and make them better able to withstand the im- 
pact of future crises. 

II. Data Security 

There are few issues more important to me or to the OCC than the emerging risks 
posed by the increasing sophistication of cyber attacks. One of my highest priorities 
is to ensure that banks continue to improve their ability to protect both their sys- 
tems and their customers’ data against cyber attacks. Wiile the banking sector is 
highly regulated and has been subject to stringent information security require- 
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ments for decades, we recognize that both our supervision and our guidance to 
banks must be regularly updated to keep pace with the rapidly changing nature of 
cyber threats. For this reason, when I became Chairman of the Federal Financial 
Institutions Examination Council (FFIEC), I called for the creation of a working 
group on cybersecurity issues to be housed under the EFIEC’s task force on super- 
vision. The working group has already begun to meet with intelligence, law enforce- 
ment, and homeland security officials, and it is exploring additional approaches 
bank regulators can take to ensure that institutions of all sizes have the ability to 
safeguard their systems. 

Recent events, such as the Distributed Denial of Service attacks on banks and the 
information security breaches at Target and Neiman Marcus, highlight the sophisti- 
cated nature of evolving cyber threats, as well as the interdependencies that exist 
in today’s payment systems. They also remind us of the impact that cyber attacks 
have on consumers and financial institutions. When accounts are compromised, the 
affected consumers often pay a stiff price in terms of lost time and the expense of 
restoring their credit information, even though they are protected against fraudu- 
lent card charges by their financial institutions. In addition to the inconvenience to 
and burden on consumers, financial institutions, including community banks that 
issue credit and debit cards, often end up bearing the costs when bank customer 
information maintained by merchants is compromised. Banks have borne the ex- 
pense of replacing cards, providing credit monitoring services, responding to high 
volumes of customer inquiries, monitoring for fraudulent transactions, and reim- 
bursing customers for fraud losses. 

Information security has long been an integral part of the OCC’s supervisory proc- 
ess. We have a variety of tools and broad authority to require the banks we regulate 
and their service providers to protect their own systems and their customers’ data 
and to take steps to identify, prevent, and mitigate identity theft, no matter how 
a customer’s information was acquired. Over the years, the OCC, on its own and 
through the FFIEC, has published guidance and handbooks that have made clear 
our expectations about acceptable risk management processes and procedures for 
safeguarding information. 

A. Information Security Guidelines and Guidance on Response Programs for 
Unauthorized Access to Customer Information and Customer Notice 

Following the 1999 enactment of the Gramm-Leach-Bliley Act, the OCC, in con- 
junction with the Federal Deposit Insurance Corporation (FDIC) and the Iloard of 
Governors of the Federal Reserve System (Federal Reserve) (collectively, the Federal 
banking agencies) published enforceable information security guidelines that set 
forth standards for administrative, technical, and physical safeguards financial in- 
stitutions must have to ensure the security and confidentiality of customer informa- 
tion. These interagency guidelines require banks to develop and implement formal 
information security programs. 

These programs need to be tailored to the bank’s assessment of the risks it faces. 
These risks include internal and external threats to customer information and any 
method used to access, collect, store, use, transmit, protect, or dispose of the infor- 
mation. Each bank must consider the specific security measures set forth in the 
guidelines and adopt those that are appropriate for the institution. Given the evolv- 
ing threat and technology environment, the guidelines require a bank’s information 
security program to be dynamic — to continually adapt to address new threats, 
changes in technology, and new business arrangements. We also expect banks to 
routinely test their systems for vulnerabilities and to address the weaknesses they 
discover. 

To ensure effective oversight, the guidelines require that information security pro- 
grams be approved by an institution’s board of directors. The board must also over- 
see the program’s development, implementation, and maintenance, and it must re- 
view annual reports that describe the bank’s compliance with the guidelines. 

Since banks often depend upon service providers to conduct critical banking ac- 
tivities, the guidelines also address how banks must manage the risks associated 
with their service providers that have access to customer information. This past Oc- 
tober, the OCC released updated guidance that emphasizes the importance of risk 
management practices for critical activities throughout the lifecycle of the third- 
party relationship.® The guidance also stresses our expectation that the board and 
management ensure that appropriate risk management practices are in place, estab- 


OCC Bulletin 2013—29 “Third Party Relationships: Risk Management Guidance” avail- 
able at: http: ! / www.occ.gov I news-issuances / bulletins / 2013 1 buUetin-2013-29.htmL 
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lish clear accountability for day-to-day management of these relationships, and peri- 
odically conduct independent reviews of these relationships. 

While strong and resilient information security programs are critical, the evolving 
nature and sophistication of cyber attacks also require banks to have strong and 
well-coordinated incident response programs that can be put into action when a 
cyber attack or security breach does occur. Nearly a decade ago, the OCC, in con- 
junction with the FDIC and Federal Reserve, issued guidance to supplement the in- 
formation security guidelines titled “Response Programs for Unauthorized Access to 
Customer Information and Customer Notice.” This guidance addresses breaches of 
customer information maintained by or on behalf of banks and makes clear that the 
OCC expects each bank to implement an incident response program with specific 
policies and procedures to address unauthorized access to customer information. We 
expect a bank’s incident response program to include a process for notifying cus- 
tomers and taking appropriate steps, not only to contain and control the incident, 
but also to prevent further unauthorized access to or use of the customer informa- 
tion. The bank is expected to notify both law enforcement and its primary regulator 
and to provide customers with information they need, such as how to place a fraud 
alert on their credit reports. 

During and following cyber attacks on the financial sector, the OCC plays an im- 
portant role in identifying risks to bank systems and bank customer information 
and conveying appropriate risk management practices to the industry, including de- 
fensive strategies and tactics to contain attacks. The OCC gathers information from 
our affected banks and shares information with other Government agencies. We 
have participated in briefings for our banks, service providers, and examiners on 
specific cyber threats. In addition, through our membership in both the Financial 
and Banking Information Infrastructure Committee and the Financial Services In- 
formation Sharing and Analysis Center, which are part of the financial sector’s puh- 
lic-private partnerships, we share information regarding cyber threats and discuss 
various means to improve the security and resiliency of the financial sector. 

B. Identity Theft Red Flags 

While the information security guidelines require banks to safeguard the cus- 
tomer information that they maintain or that is maintained on their behalf, hanks 
also are required to be on the alert for identity theft involving their customers’ infor- 
mation, no matter how and where an identity thief acquired the information. Pursu- 
ant to section 114 of the FACT Act, the Federal banking agencies, together with the 
National Credit Union Administration (NCUA) and the Federal Trade Commission, 
issued regulations in 2007 titled “Identity Theft Red Flags and Address Discrep- 
ancies.” The final rules require each financial institution and creditor to develop and 
implement a formal identity theft prevention program that includes policies and 
procedures for detecting, preventing, and mitigating identity theft in connection 
with account openings and existing accounts. The program must cover any consumer 
account or any other account that the financial institution or creditor offers or main- 
tains for which there is a reasonably foreseeable risk to consumers or to the safety 
and soundness of the financial institution or creditor from identity theft. In addi- 
tion, it must include policies and procedures to identify relevant red flags, detect 
red flags incorporated into the program, respond appropriately to the red flags that 
are detected, and ensure the program is updated periodically to reflect changes in 
risks to customers and to the institution from identity theft. 

The agencies also issued guidelines to assist covered entities in developing and 
implementing an identity theft prevention program. The guidelines include a sup- 
plement that identifies 26 patterns, practices, and specific forms of activity that are 
“red flags” signaling possible identity theft. These include alerts, notifications, or 
other warnings received from consumer reporting agencies or service providers, the 
presentation of suspicious documents or suspicious personal identifying information, 
the unusual use of or other suspicious activity related to a covered account, or notice 
from customers, victims of identity theft, or law enforcement authorities. When a 
bank detects identity theft red flags, the bank is expected to respond by taking steps 
that include monitoring accounts, contacting the customer, changing passwords, 
closing and reopening the account, and notifying law enforcement, as appropriate. 

C. Retail Payment Systems 

Banks provide essential retail payment transactions and services to businesses 
and consumers, including the acceptance, collection, and processing of a variety of 
payment instruments and participation in clearing and settlement systems. From 
the initiation of a retail payment transaction to its final settlement, banks are ex- 
posed to certain risks, such as credit, liquidity, compliance, reputation, and oper- 
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ational risks, including fraud, particularly during settlement activities. These risks 
may arise from interactions with payment system operators and other third parties. 

Recent technological advances are expanding the opportunities for the develop- 
ment of innovative payment products and services. New electronic pa3unent instru- 
ments and systems offer gains in efficiency by allowing for the rapid and convenient 
transmission of payment information among system participants. However, without 
appropriate safeguards, these new products and services can also permit fraud, 
money laundering, and operational disruption to occur. In addition, nonbank third 
parties are increasingly participating in retail pajunent systems, contributing to in- 
novation but also adding complexity to the transaction chain, which may increase 
risk in payment processes. Retail payment risk management is increasingly dif- 
ficult, requiring close attention to the changing nature of risk and robust oversight. 

The OCC, on its own and through the FFIEC, has issued guidance on identifying 
and controlling risks associated with retail payment systems and related banking 
activities. Risk profiles vary significantly based on the size and complexity of a 
bank’s retail payment products and services, expertise, technology infrastructure, 
and dependence on third parties. The OCC expects banks engaging in these activi- 
ties to be aware of the inherent risks of their activities and implement appropriate 
risk management processes. OCC examiners also assess risk levels and risk man- 
agement practices at banks and schedule oversight activities based upon the risk 
profile of the bank and the complexity of the products and services offered. 

Banks not only must comply with Federal requirements but also with State laws 
and regulations relating to payment systems and with the operating rules of clear- 
ing houses and bank card networks, such as Pa3unent Card Industry-Data Security 
Standards (PCI-DSS). In addition, we expect all banks to maintain effective inter- 
nal controls, including robust fraud detection systems and financial, accounting, 
technical, procedural, and administrative controls necessary to minimize risks in the 
retail payment transaction, clearing, and settlement processes. These measures, 
when effectively employed, reduce payment system risk, ensure that individual 
transactions are valid, and mitigate processing and other errors. Effective controls 
also ensure that the retail payments infrastructure operates with integrity, con- 
fidentiality, and availability. 

D. The OCC’s Supervision Program 

The OCC’s ongoing supervision program addresses information security and iden- 
tity theft prevention for banks, including with respect to bank participation in the 
payment system. The supervisory program involves teams of examiners who evalu- 
ate information security and identity theft controls and risk management during 
their examinations of banks. Our most experienced examiners supervise the largest 
institutions and also participate, with the FDIC and Eederal Reserve, in examina- 
tions of the largest bank technology service providers. The OCC’s supervision, in- 
cluding of information technology, continues to evolve as the risks facing the indus- 
try change. Both on our own and through the FFIEC, we update examiner training, 
regulatory guidance, and examiner booklets. We also issue alerts to address risks 
stemming from increasingly complex bank operations and third-party relationships, 
new technologies, and the increasing volume and sophistication of cyber threats. 

When necessary, the OCC uses our enforcement process to ensure compliance 
with our standards. When we have found serious gaps in meeting our supervisory 
expectations, we have taken enforcement actions that include cease and desist or- 
ders and civil money penalties. In some cases, the OCC has also found it necessary 
to compel banks to notify their customers of breaches involving personal informa- 
tion. 

The OCC also has taken enforcement actions against bank insiders who were en- 
gaged in identity theft-related activities or were otherwise involved in serious 
breaches or compromises of customer information. These enforcement actions have 
included orders prohibiting individuals from working in the banking industry, per- 
sonal cease and desist orders restricting the use of customer information, significant 
civil money penalties, and orders requiring restitution. 

The OCC is committed to maintaining a robust regulatory framework that re- 
quires banks to protect their systems and their customers’ information. The volume 
and sophistication of the cyber threats to our payment systems and other financial 
infrastructures are evolving rapidly. Furthermore, these systems are dependent on 
other critical infrastructures that are also vulnerable to these threats, such as tele- 
communications and energy, which are outside of the industry’s direct control. For 
this reason, we will continue to look for ways to improve our supervisory processes 
and make the system stronger, through collaboration and cooperation with industry 
participants, as well as other regulatory and Government agencies, such as law en- 
forcement. 
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III. Capital and Liquidity 
A. Capital 

Last year, the OCC, FDIC, and Federal Reserve finalized a rule that comprehen- 
sively revises U.S. capital standards. This rule strengthens the definition of regu- 
latory capital, increases risk-based capital requirements, and amends the meth- 
odologies for determining risk-weighted assets. It also adds a new, stricter leverage 
ratio requirement for large, internationally active banks. These revisions reflect en- 
hancements to the international capital framework published by the Basel Com- 
mittee on Banking Supervision and are a result of lessons learned from the financial 
crisis. The standards are consistent with and complement the Dodd-Frank Act by 
strengthening our Nation’s financial system. They reduce systemic risk and improve 
the safe and sound operation of the banks we regulate. 

Some of the revisions applicable to large, internationally active banks became 
fully effective on January 1 of this year. Most revisions, including the narrowing of 
instruments that count as regulatory capital, will be phased in over several years. 
For the largest, internationally active banks, this phase-in has already begun. For 
all other banks, the phase-in will begin in 2015. 

Leverage Ratio Capital Requirements 

Regulatory capital standards in the United States have long included both risk- 
based capital and leverage requirements, which work together, each offsetting the 
other’s potential weaknesses while minimizing incentives for regulatory capital arbi- 
trage. Among the more important revisions to the domestic capital rules was the 
addition of stricter leverage ratio requirements applicable to the largest, inter- 
nationally active banks. 

Under longstanding domestic capital requirements, all banking organizations® 
must meet a minimum leverage ratio. Our recent revisions to the capital rules now 
require certain large banking organizations also to meet a “supplementary leverage 
ratio” requirement. Unlike the more broadly applicable leverage ratio, this supple- 
mentary leverage ratio incorporates off-balance sheet exposures into the measure of 
leverage. It is expected to be more demanding because large banking organizations 
often have significant off-balance sheet exposures that arise from different types of 
lending commitments, derivatives, and other activities. 

To further strengthen the resiliency of the banking sector, in August of last year, 
the Federal banking agencies published a notice of proposed rulemaking (NPR) that 
would increase substantially the supplementary leverage ratio requirement for the 
largest and most systemically important banking organizations. Under the NPR, 
these banking organizations would be required to maintain even more tier 1 capital 
for every dollar of exposure in order to be deemed “well capitalized.” 

In January, the Basel Committee finalized revisions to the international leverage 
ratio standards upon which the Federal banking agencies based the supplementary 
leverage ratio NPR. 

While some reports have suggested these revisions amounted to a watering down 
of the international standards, a more accurate depiction of the changes relative to 
U.S. standards requires more elaboration. Although these standards have been re- 
laxed relative to a Basel Committee proposal issued in June 2013, the committee’s 
final standards are generally comparable to the final U.S. standards published last 
year and the measure of exposure used in the NPR. 

Two areas where the final Basel standards differ from the U.S. standards are the 
treatment of credit derivatives and off-balance sheet commitments. With respect to 
credit derivatives, the final Basel standards require a bank to treat a promise to 
pay a counterparty in the event of a credit default as the equivalent of providing 
a loan to the counterparty, because both transactions effectively involve the exten- 
sion of credit. This requirement is more stringent than the current U.S. rules, which 
focus only on the counterparty credit risk associated with credit derivatives. With 
respect to off-balance sheet commitments, the Basel leverage calculation includes a 
portion of the potential exposure amount for certain off-balance sheet commitments, 
rather than the entire potential exposure amount. This change reduces the exposure 
measure relative to the current U.S. standards, which generally assume that all of 
these commitments will be completely drawn at the same time. 


®The U.S. “banking organizations” subject to minimum capital rules include national banks, 
State member banks. Federal savings associations, and top-tier bank holding companies domi- 
ciled in the United States not subject to the Federal Reserve’s Small Bank Holding Company 
Policy Statement (12 CFR part 225, appendix C), as well as top-tier savings and loan holding 
companies domiciled in the United States, except certain savings and loan holding companies 
that are substantially engaged in insurance underwriting or commercial activities. 
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Even considering the change to the exposure measure for certain commitments, 
our preliminary analysis suggests that, in the aggregate, the final Basel standards 
will generate a larger measure of exposure — and will therefore be more stringent — 
than the current and proposed U.S. standards. However, this is likely to vary by 
bank. Banks with large credit derivatives portfolios likely will see greater increases 
in their exposure measures relative to other banks. 

Additionally, when considering the impact of the Basel standards, it is important 
to keep in mind that the NPR would increase the minimum supplementary leverage 
ratio requirements for systemically important banking organizations in the U.S. to 
6 percent at the bank level and 5 percent at the bank holding company level. While 
we are still considering comments received on this proposal, the OCC continues to 
support stronger leverage ratio standards than the 3 percent international min- 
imum. The Federal banking agencies will consider the revisions to the Basel Com- 
mittee’s leverage ratio framework, as well as the comments received in response to 
the NPR, as we continue with our work. The OCC supports the interagency efforts 
to ensure that the supplementary leverage ratio will serve as an effective backstop 
to the risk-based ratios and will work with the FDIC and the Federal Reserve to 
move forward with the rulemaking process in the near term. 

B. Enhanced Liquidity Standards 

Adequate and appropriate liquidity standards for the banks we regulate are an 
important post-financial crisis tool that is central to the proper functioning of finan- 
cial markets and the banking sector in general. The Federal banking agencies, 
working together, have made significant progress in implementing the Basel Com- 
mittee’s Liquidity Coverage Ratio in the United States. These liquidity standards 
will help ensure that banking organizations maintain sufficient liquidity during pe- 
riods of acute short-term financial distress. 

In November of last year, the Federal banking agencies issued a proposal that 
would require certain large financial companies, including large national banks and 
Federal savings associations, to hold high-quality liquid assets on each business day 
in an amount equal to or greater than its projected cash outflows minus its pro- 
jected inflows over a 30-day period of significant stress. The comment period for the 
proposed rule ended on January 31, 2014. The agencies are reviewing the comments 
and will be developing a final rule that I hope can be issued by the end of the year. 

The Federal banking agencies also are working with the Basel Committee to de- 
velop another liquidity requirement, the Net Stable Funding Ratio, to complement 
the Liquidity Coverage Ratio and enhance long-term structural funding. The Net 
Stable Funding Ratio would require banks to maintain a stable funding profile in 
relation to the composition of their assets and off-balance sheet activities. The Basel 
Committee recently published a consultative paper for comment that defines the re- 
quirements for this ratio. Once finalized, the Federal banking agencies will work to 
implement a U.S. rule, which is planned to go into effect on January 1, 2018. 

It is expected that these standards, once fully implemented, will complement ex- 
isting liquidity risk guidance and enhanced liquidity standards to be issued by the 
Federal Reserve, in consultation with the OCC, as part of the heightened prudential 
standards required under section 165 of the Dodd-Frank Act. 

TV. Volcker Rule 

The statutory provision referred to as the Volcker Rule is set forth in section 619 
of the Dodd-Frank Act. Section 619 prohibits a banking entity from engaging in 
short-term proprietary trading of financial instruments and from owning, spon- 
soring, or having certain relationships with hedge funds or private equity funds (re- 
ferred to here, and in the final regulations, as covered funds).'' Notwithstanding 
these prohibitions, section 619 permits certain financial activities, including market 
making, underwriting, risk-mitigating hedging, trading in Government obligations, 
and organizing and offering a covered fund. 

On December 10, 2013, the OCC, Federal Reserve, FDIC, Securities and Exchange 
Commission (SEC), and the Commodity Futures Trading Commission (CFTC) adopt- 
ed final regulations implementing the requirements of section 619.® In accordance 
with the statute, the final regulations prohibit banking entities from engaging in 
impermissible proprietary trading and strictly limit their ability to invest in covered 


The statute defines the term “banking entity” to cover generally any insured depository insti- 
tution (other than a limited purpose trust bank), any affiliate or subsidiary of an insured deposi- 
tory institution, and any company that controls an insured depository institution. See 12 U.S.C. 
1851(h)(1). 

79 FR 5536 (Jan. 31, 2014). The OCC, Federal Reserve, FDIC, and SEC issued a joint 
regulation, and the CFTC issued a separate regulation adopting the same common rule text and 
a substantially similar preamble. 
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funds. At the same time, the regulations are designed to preserve market liquidity 
and allow banks to continue to provide important client-oriented services. 

In developing the final regulations, the agencies carefully considered the more 
than 18,000 comments received on the proposed regulations from a diverse group 
of interests — including banks, securities firms, consumer and public interest groups. 
Members of Congress, foreign governments, and the general public.® Commenters 
raised numerous significant and complex issues with respect to the proposed regula- 
tions, and provided many — sometimes conflicting — recommendations. For example, 
the agencies heard from various commenters regarding the distinction between im- 
permissible proprietary trading and permitted market making, and with respect to 
the definition of a covered fund. These comments often highlighted key differences 
in the markets and asset classes subject to regulation by the respective agencies 
under the Volcker Rule. In contrast, other commenters urged the agencies to con- 
strue the statutory mandate narrowly to avoid the potential for evasion of the pro- 
prietary trading and covered fund prohibitions. 

To meet these challenges, the agencies worked closely with each other in devel- 
oping the final regulations, from the principal level down to staff at all the agencies 
who worked long days, nights, and weekends, to grapple with extraordinarily com- 
plex and important policy issues. Though the final regulations have been published, 
the OCC is continuing to work closely and cooperatively with the other agencies as 
we work on our supervisory implementation of the final regulations during the con- 
formance period, which runs through July 21, 2015.1® 

The statute applies to all banking entities, regardless of size; however, not all 
banking entities engage in activities presenting the risks the statute sought to curb. 
One of my priorities in the Volcker rulemaking was to make sure that the final reg- 
ulations imposed compliance obligations on banking entities in proportion to their 
involvement in covered activities and investments. The final regulations appro- 
priately recognize that not all banking entities pose the same risk and impose com- 
pliance obligations accordingly. So, a community bank that only trades in “plain va- 
nilla” Government obligations has no compliance obligations whatsoever under the 
final regulations. Community banks that engage in other low-risk covered activities 
will be subject to only minimal requirements. 

All banking entities, including community banks, will need to divest impermis- 
sible covered fund investments under the final regulations. Recently, however, the 
agencies heard, and promptly responded to, a concern raised by community institu- 
tions that the final regulations treated certain investments in a way that was incon- 
sistent with another important provision of the Dodd-Frank Act. Banking entities 
of all sizes hold collateralized debt obligations backed primarily by trust preferred 
securities (TruPS CDOs). These TruPS CDOs, originally issued some years ago as 
a means to facilitate capital raising efforts of small banks and mutual holding com- 
panies, would have been subject to eventual divestiture and immediate write-downs 
under the applicable accounting treatment under generally accepted accounting 
principles. As a number of community institutions pointed out to the agencies, this 
result was inconsistent with the Collins Amendment to the Dodd-Frank Act,^^ 
where Congress expressly protected existing TruPS as a component of regulatory 
capital for the issuing institution so long as the securities were issued by bank hold- 
ing companies with less than $15 billion in consolidated assets or by mutual holding 
companies. 

To mitigate the unintended consequences of the final regulations and harmonize 
them with the Collins Amendment, the agencies, on January 14, 2014, adopted an 
interim final rule to permit banking entities to retain an interest in or sponsor a 
TruPS CDO acquired before the final regulations were approved, provided certain 
requirements are met.^^ Among others, the banking entity must reasonably believe 
that the offering proceeds from the TruPS CDO were invested primarily in trust 
preferred securities issued prior to May 19, 2010, by a depository institution holding 


® Of the 18,000 comment letters, more than 600 were unique comment letters, and the remain- 
ing letters were from individuals who used a form letter. The agencies each also met with a 
number of the commenters to discuss issues raised by the proposed regulations and have pub- 
lished summaries of these meetings. 

Section 619 authorized a 2-year conformance period, until July 21, 2014, for banking enti- 
ties to conform their activities and investments to the requirement of the statute. The statute 
also permits the Federal Reserve to extend this conformance period, one year at a time, for a 
total of no more than three additional years. In a separate action, the Federal Reserve has ex- 
tended the conformance period for an additional year until July 21, 2015, and has indicated that 
it plans to monitor developments to determine whether additional extensions of the conformance 
period are in the public interest. 
iiSee 12 U.S.C. 5371(b)(4)(C). 

12 See 79 FR 5223 (Jan. 31, 2014). 
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company below a $15 billion threshold or by a mutual holding company. To help 
community institutions identify which CDO issuances remain permissible, the OCC, 
FDIC, and Federal Reserve have also issued a nonexclusive list of TruPS CDOs that 
meet the requirements of the interim final rule. 

For banking entities that engage in a high volume of trading and covered fund 
activities, namely, the largest banks, the final regulations will impose some signifi- 
cant changes. These large firms have been preparing for these changes since the 
statute became effective in July 2012, and have been shutting down impermissible 
proprietary trading operations. Now that the final regulations have been released, 
these institutions will need to take steps during the conformance period to bring 
their permitted trading and covered fund activities, such as market making, under- 
writing, hedging, and organizing and offering covered funds, into compliance with 
the requirements of the final regulations. Large banking entities must develop ro- 
bust compliance programs, and they will be required to compile and report quan- 
titative metrics on their trading activities that may serve as an indicator of poten- 
tial impermissible proprietary trading or a high-risk trading strategy. Banking enti- 
ties will not be able to use covered funds to circumvent the proprietary trading re- 
strictions, and they will not be able to bail out covered funds they sponsor or invest 
in. 

Of course, issuing a final regulation is only the beginning of the agencies’ imple- 
mentation process. Equally important is how the agencies will enforce it. The OCC 
is committed to developing a robust examination and enforcement program that en- 
sures the banking entities we supervise come into compliance and remain compliant 
with the Volcker Rule. In the near term, our priority is implementing examination 
procedures and training to help our examiners assess whether banks are taking the 
necessary steps to come into compliance with the final regulations by the end of the 
conformance period, and we are actively engaged in these efforts. Using these proce- 
dures, examiners will direct banks they examine to identify the range and size of 
activities and investments covered by the final regulations, and will assess banks’ 
processes and systems for metrics reporting and their project plans for bringing 
their trading activities and investments into conformance with the final regulations. 
Moreover, key OCC subject matter experts across our policy and supervision divi- 
sions are developing training for our examiners to be held later in 2014. We will 
build upon these initial procedures and training through the course of the conform- 
ance period as we further assess the progress and needs of our examiners. 

The agencies also are working to ensure consistency in application of the final reg- 
ulations. I am pleased to report that the OCC has led the formation of an inter- 
agency working group to address and collaborate on developing responses to key su- 
pervisory issues that arise under the final regulations. That interagency group held 
its first meeting in late January and will continue to meet on a regular basis going 
forward. The OCC is also participating in interagency training on the final regula- 
tions this spring and summer under the auspices of the FFIEC. 

When fully implemented, I believe the final regulations will achieve the legislative 
purpose for which the Volcker Rule was enacted. The final regulations will limit the 
risks the prohibited activities pose to the safety and soundness of banking entities 
and the U.S. financial system in a way that will permit banking entities to continue 
to engage in activities that are critical to capital generation for businesses of all 
sizes, households, and individuals, and that facilitate liquid markets. 

V. Derivatives — Title VII 

Pursuant to sections 731 and 763 of the Dodd-Frank Act, banks that are “swap 
dealers” must register with the CFTC, and those that are “securities-based swap 
dealers” must register with the SEC. The swap activities of banks that must reg- 
ister are subject to substantive requirements under Title VII of the Act. At this 
time, nine national banks have provisionally registered as swap dealers. 

Sections 731 and 763 also require the Federal banking agencies, together with the 
Federal Housing Finance Agency (FHFA) and the Farm Credit Administration 
(FCA), to impose minimum margin requirements on noncleared swaps and security- 
based swaps for swap dealers, major swap participants, security-based swap dealers, 
and major security-based swap participants that are banks. These agencies pub- 
lished a proposal to implement these requirements on May 11, 2011. 

After issuing the U.S. proposal, the Federal banking agencies participated in ef- 
forts by the Basel Committee and International Organization of Securities Commis- 
sions (IOSCO) to address coordinated implementation of margin requirements 
across the G-20 nations. Following extensive public comment, the Basel Committee 
and IOSCO finalized an international framework in September of 2013. 

The Federal banking agencies, together with the FHFA and the FCA, have re- 
viewed this framework and the comments received on the U.S. proposal. The Fed- 
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eral banking agencies received more than 100 comments from banks, asset man- 
agers, commercial end users, trade associations, and others. Many commenters fo- 
cused on the treatment of commercial end users, urging the agencies to exempt 
transactions with such entities from the margin requirements in a manner con- 
sistent with the approach taken in the Basel Committee-IOSCO framework. The 
Federal hanking agencies are currently evaluating the changes indicated under the 
framework and suggested by commenters and expect to issue a final rule in the 
coming months. 

Additionally, banks that are registered swap dealers are subject to the derivatives 
push-out requirements in section 716 of the Dodd-Frank Act. This provision, which 
became effective on July 16, 2013, generally prohibits Federal assistance to swap 
dealers. The statute required the OCC to grant banks it supervises a transition pe- 
riod of up to 24 months to comply. We have granted a 24-month transition period 
to nine national banks and four Federal branches. We concluded that the transition 
period is necessary to allow banks to develop a transition plan for an orderly ces- 
sation or divestiture of certain swap activities that does not unduly disrupt lending 
activities and other functions that the statute required us to consider. 

VI. Other Dodd-Frank Rulemakings 

The OCC has made considerable progress on other Dodd-Frank requirements. In 
August of last year, we issued a final rule to implement a provision in section 610 
of the Act, which requires that an institution’s lending limit calculation account for 
credit exposure arising from derivatives and securities financing transactions. The 
new rule specifies methods to calculate this credit exposure. In addition, we joined 
the other members of the FFIEC and the SEC in November to propose Joint Stand- 
ards for Assessing Diversity Policies and Practices of Regulated Entities. These pro- 
posed standards implement a provision in section 342 of the Dodd-Frank Act and 
are intended to promote transparency and awareness of diversity within these enti- 
ties. 

A. Appraisals 

The Dodd-Frank Act contains a number of provisions relating to appraisals, and 
the Federal banking agencies, along with the NCUA, FHFA, and the Bureau of Con- 
sumer Financial Protection (CFPB), continue to work to implement these provisions. 
As I have previously reported, these agencies issued a final rule last year requiring 
all creditors, subject to certain exceptions, to comply with additional appraisal re- 
quirements before advancing credit for higher-risk mortgage loans. This past De- 
cember, these agencies issued a supplemental final rule to revise one of the exemp- 
tions and include two additional exemptions. These changes reduce regulatory bur- 
den and reflect comments the agencies received from the public. 

In the coming months, the agencies plan to publish a proposal to establish min- 
imum requirements for State registration of appraisal management companies, 
known as AMCs, which serve as intermediaries between appraisers and lenders. 
This rule will ensure that appraisals coordinated by AMCs adhere to applicable 
quality control standards and will facilitate State oversight of AMCs. The proposal 
also will implement the Dodd-Frank Act requirement that the States’ report to the 
FFIEC’s Appraisal Subcommittee information needed to administer a national AMC 
registry. 

The agencies also are working collaboratively on a proposal to implement specific 
quality control standards for automated valuation models, which are computer mod- 
els used to assess the value of real estate that serves as collateral for loans or pools 
of loans. We expect to issue this proposal later in 2014. Finally, the agencies are 
considering rulemaking options to complement an interim final rule issued by the 
Federal Reserve in 2010 that implements statutory appraisal independence require- 
ments. 

B. Credit Risk Retention 

The Federal banking agencies, together with FHFA, the SEC, and the Depart- 
ment of Housing and Urban Development, continue to work on implementing the 
credit risk retention requirements for asset securitization in section 941 of the 
Dodd-Frank Act. In 2011, these agencies proposed a rule to implement section 941 
and received over 10,000 comments, which offered many thoughtful suggestions. 
These agencies concluded that the rulemaking would benefit from a second round 
of public review and comment, and we reproposed the rule in September 2013. Al- 
though the reproposal includes significant changes from the original proposal, its 
focus is the same — to ensure that sponsors are held accountable for the performance 
of the assets they securitize. 

The comment period for the reproposal has now closed, and we are working on 
a final rule. While we expect to complete this project in the near future, the inter- 
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agency group is working through some significant issues. For example, the agencies 
received a substantial number of comments regarding the definition of “qualified 
residential mortgage” and the extent to which it should incorporate the CFPB’s defi- 
nition of “qualified mortgage.” The agencies also received numerous comments, in- 
cluding some from Members of this Committee, regarding the treatment of 
collateralized loan obligations. We are carefully considering these and other issues, 
with the goal of balancing meaningful risk retention with the availability of credit 
to individuals and businesses. 

C. Incentive-Based Compensation Arrangements 

Finally, the OCC continues to work on the implementation of section 956 of the 
Dodd-Frank Act, which requires us to prescribe regulations or guidelines regarding 
incentive-based compensation. The Federal banking agencies, along with the NCUA 
and the SEC, proposed a rule that would require the reporting of certain incentive- 
based compensation arrangements by a covered financial institution and would pro- 
hibit incentive-based compensation arrangements at a covered financial institution 
that provides excessive compensation or could expose the institution to inappro- 
priate risks leading to a material financial loss. The agencies received thousands of 
comments on this proposal and will address the issues raised by the commenters 
in the final rule. 

Conclusion 

Thank you again for the opportunity to appear before you and to update the Com- 
mittee on the OCC’s continued work to implement the Dodd-Frank Act and enhance 
our efforts to regulate our country’s national banks and Federal savings associa- 
tions. 
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Tfstimony on •‘Ovorsishl of Kinaiidil Slability and Data Securilj” 
by 

Chair Mary Jo White 
V.S. Seairities mid Exchange Commission 

Before the I nited States Senate Committee on Banking, Housing, and I'rban Affairs 
February 6, 2014 

Chainnan Jolmson, Ranking Member Crapo, and members of the Committee, 

Thank you for inviting me to testify about the Securities and Exchange Commission’s 
("SEC” or "Commission”) ongoing implementation of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act ("Dodd-Frank Act” or “Act”) and our efforts regarding data security.’ 

The SEC's overarching mission is to protect investors, maintain fair, orderly, and 
eflicicnl markets, and facilitate capital formation. The Dodd-Frank .Act gave the SEC significant 
new responsibilities over, among other things, municipal advisors, hedge fund and other private 
fund advisers, and over-the-counter derivatives. Tlie Act also established a new whistleblower 
program designed to strengthen the SEC's enforcement functions, enhanced the SEC’s authority 
over credit rating agencies and clearing agencies, and strengthened the regulation of asset-backed 
securities. Implementing these new responsibilities has required the SEC to undertake one of the 
largest and most complex nilemaking agendas in die history of the agency, with more than 90 
provisions that require SEC rulemaking and more than 20 other provisions that require studies or 
reports. In addition, die .Act and the financial crisis focused the SEC’s efforts more directly on 
enhancing financial stability and tlie reduction of systemic risk. 

The SEC has made sub.stantial progress implementing this agenda. Since I arrived at the 
Commission in .April 2013, we have advanced rules and other initiatives across the wide range of 
regulatory objectives set by the Dodd-Frank Act as well as the Jumpstart Our Business Startups 
("JOBS”) .Act. .Among other areas, our efforts under the Dodd-Frank .Act have covered: 

• The registration and regulation of over a thousand municipal advisors; 

• The assessment and analytical deployment of the first complete set of data from 
Form PF filings by registered advisers to private funds, including hedge funds 
and private equity funds, so that the SEC and the FinaiKial Stability Oi ersight 
Council (“FSOC”) can belter assess tlie impact of these funds on financial 
stability, 

• Tlie cross-border application of our security-based swap rules in the global swaps 
market: 


' The views expressed in this lestunony are those of the Chair of the Securities and Exchange Couimission and do 
not necessanly represent the views of the full Commission 
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• Proprielan- trading and mvcsimenis in private funds by banks and tlteir affiliates, 
under what is commonly called the “Voicker Rule”; 

• Further safeguarding the custody of customer funds and securities by broker- 
dealers and the framew ork under w hich such custody is independently audited; 

• The removal of references to nationally recognized statistical rating organization 
(■‘NRSRO”) ratings in our broker-dealer and investment company regulations; 

• The disclosure of tlie ratio of the compensation a company pays to its C EO 
relative to the compensation it pays its median employee; 

• Tlie disqualification of felons and other "bad actors" from important private 
securities offering exemptions; 

• The retention of a certain amount of credit risk by securitizers of asset-backed 
securities; and 

• Programs established by broker-dealers, investment companies, and other 
regulated entities to address risks of identity iheR. 

These efforts are in addition to the rules we have proposed or adopted to implement the JOBS 
Act, including rules intended to increase access to capital for smaller companies by pennitting 
the use of general solicitation in certain private offerings, crowdfunding, and updating and 
expanding the Regulation A exemplioa Despite our significant progress, work remains to be 
done with respect to both statutes. To that end. completing the rulemakings and studies 
mandated by Congress in these tw o statutes remains among the top priorities for the 
Commission. 

.As requested by the Committee, my testimony today will provide an overview of the 
Conmiission's Dodd-Frank .Act implementation and discuss those ntles which are yet to be 
completed.* 


Municipal Securities 

The Dodd-Frank Act included several provisions related to the municipal securities 
market, which encompasses over $3.7 trillion in outstanding municipal securities, over 44,000 
municipal issuers, and an average of over 12,000 bond issues annually. The .Act created a new 
class of regulated persons, "municipal advisors.” and requires tliese advisors to register witli the 
SEC. This registration requirement applies to persons who provide advice to municipal entities 
or obligated persons on municipal finaiKial products or the issuance of municipal securities, or 


‘ A list of the nilemalang provisions in the Dodd-Fnink Act applicable to the SEC is attached as Appendix A. 


2 
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who solicit municipal entities or obligated persons ’ In September 2013, the Commission 
adopted fmal rules for municipal adsrsor legistration.'' 

The final rules proside guidance on the statutory' definition of tlie term “municipal 
ads isor,” the statutors' exclusions from that definition, and certain additional regulators' 
exemptions. The new registration re<|ui[ements and regulators’ standards arc intended to mitigate 
some of the problems obsers ed svith the conduct of some municipal advisors, including “pay to 
play” practices, undisclosed conflicts of interest, adsice rendered by fmancial advisors svithout 
adequate training or qualifications, and failure to place tlie duty of loyalty to their clients ahead 
of their own interests. Compliance svilli the final rules svill be required on July 1. 2014.’ svith a 
pltased-in compliance period for registration using die final forms beginning on dial day and 
ending on October 31, 2014. 

The Dodd-l-rank .Act also required the Commission to establish an Office of Municipal 
Securities ("OMS”), reporting directly to the Chair, to administer the rules pertaining to broker- 
dealers. municipal advisors, investors and issuers of municipal securities, and to coordinate svidi 
the Municipal Securities Rulemaking Board (“MSRB") on rulemaking and enforcement actions.® 
During its first year of operations, OMS devoted its attention primarily to finalizing the 
municipal advisor registration final rules and presenting these fmal rules for the Commission's 
consideration. Over the next year, OMS expects to devote significant attention to implementing 
these final mies. including providing interpretive guidance to market participants, participating 
in the review of municipal advisor registrations, and review ing a significant number of rule 
filings by the MSRB related to municipal advisor regulation. In addition. OMS also continues to 
monitor current issues in the municipal securities market (such as pension disclosure, accounting 
and municipal bankruptcy Issues) and to atisist in considering further recommendations to the 
Commision with respect to disclosure, market structure, and price transparency in the municipal 
securities markets.’ 


’ In September 2010, the Commission adopted, and subsequently extended, an interim final rule establishii^ a 
temporary means for mume^l advisors to satisfy the registration requirernem. Sue Release No. 34.fi2S24, 
Tempomry Registration of Siutiicipal Advisors, (September 1. 20101. htto:'Vwww,sec.eov 'rules tnterim'201Q''34- 
62824,ixlf . The Commission has received over I.IOOconfiimedr^uationsof municipal advisorspursuant to this 
temporary nile. 

* See Regisualion of Municipal Advisors, Release No. 34-70462 (Septemba 20. 2013), 

him wwit sec nov tules final 2013 .34-711462 ndf . See nfsoRcgisnationofMunicipal Advisors Frequenlly Asked 
Questions (issued on January 10, 2014 and last updated on January 16, 2014), 

httn WWW sec govinfomimicinal/mim-advisors-faQs ndf The staff in the Office of Municipal Securities provided 
this interpretive guidance to address certain questions that arose from municipal market participants relating to the 
implementation of the final mIes. 

’ See Release No. 34-712SS, Registration o/Umicipal Advisors: Temporary Stay ofFinalRule, (January 13, 2014), 
him yww sec.eov. rules final'2(il 4 34-7 1 288 ndf 

* See §979 of the Dodd-Frank Act 

^ See recommendaUons in the Commission's Report on the Municipal Securities Market (July 31, 2012), 
htto: ivwwseceovneusstudies20l2mumretxitt073112Ddf 
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Private Fund Adviser Registration and Reporting 

Title IV of the Dodd-Frank Act directed the Commission to implement a number of 
provisions designed to enhance the oversight of private fund advisers, including registration of 
advisers to hedge funds and other private funds that were prev iously exempt from SEC 
registtation. These provisions enable regulators to have a more comprehensive view of private 
funds and the invesmient advisers managing those assets. 

The SEC’s implementation of required ndemaking under Title IV is complete. In June 
201 1, the Commis.sion adopted ntles requiring advisers to hedge funds artd other private funds to 
regirrter by March 201 2. addressing what had once been a sizable "blind spot” in regulators' 
ability to monitor for systemic risk and poterrtial misconduct.* As a result of the Dodd-Frank 
.Act and the SEC's new rules, the number of SEC-registered private fund advisers has increased 
by more than SO*^!) to 4, 136 advisers. Even after accoimting for the shift of mid-.siz,ed advisers to 
state registration pursuant to the Dodd-Frank .Act,’ the total amount of assets managed by SEC- 
regi.stered advisers has increa.sed signifrcantly from S43.8 trillion in .April 201 1 to $S3.4 trillion 
in December 2013, while the total number of SEC-registered adv isers dropped only sligirtly from 
1 1,505 to 10.920. It is also worth noting that the newly-registered private fund advisers typically 
have investment strategies, poterrtial conflicts, and other regulatory issues that are much mote 
complex than tire advisers that switched to state registration. 

Concurrently with the rules requiring the registration of private fund advisers, the 
Conmrission adopted rules to implement new adviser registration e.xemptions created by the 
Dodd-Frank Act. The new rules implemented exemptions for advisers to venture capital funds 
and for advisers to private funds with less than SI 50 million in assets under management in the 
United States. Consistent with the Dodd Frank .Act, these exempt reporting adv isers are now 
required to file basic reporting irrfonnation each year with tire Commission, but are not subject to 
routine examination. Today, there are approximately 2,500 exempt reporting advisers that have 
tried reports with respect to almost 8,000 private ftmds with total assets of over $2.4 trillion. 

For private furtd advisers required to be registered with tire Commission, pursrrant to the 
Dodd-Frank .Act, tire Commission adopted confrdential systemic risk repotting requirements on 
Form PF in October 201 1 to assist tire FSOC in systemic risk oversight." .As required by the 


* See Release No, IA-322I, Rules Implemenling AmenAnenls to the Imeslmenl Advisers Act qfWAOiluneH, 

201 1], httt)''v»w,secg)v.tulesfriial 201 1 13-3221 ndf 

’&< Release No [A-322 1 . Rules Implementing Amendments to the Investment Advisers Act (^1940 (June 22, 
20li'l. hlln . «Tiiveset.Bov.nilesliiiaI20ll ia-.322l,ixlf 

“ See Release No IA-3222, Exemptions for Advisers to I'entun Capital Funds, Private Fund Advisers K'ith Less 
Than SlSOhlillion in Assets Under ManagemenlandForeigi Private Advisersllax71,lO\\), 
http WWW sec eov rules final 201 l.ia-3222 pdf 

" See Release No. lA-3308, Reporting by Investment Advisers to Private Funds and Certain CommodtyPool 
Operators and Commodity Trading Advisors on Form PF; Joint Final Rule (October 21 , 201 1 k 
http: WWW sec eov mics final 201 1 ia-3308 pdf 
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Act, Forai PF was designed in consultation with FSOC, and the data filed on Fomt PF has been 
made available to the Office of Financial Research within tlie Department of the Treasure'. 

As a result of staggered filing dates, the Commission first received a full complement of 
Form PF filings last year. To date, approximately 2,400 investment advisers have filed reports 
on approximately 7,000 hedge funds. 66 liquidity funds and 6.000 private equity funds. 
Consistent with enhanced confidentiality provisions established under the Dodd-Frank Act for 
information collected on Fonn PF, filings are made on a secure filing system that encrypts data, 
and Commission staff has designed and implemented controls for handling of Form PF data 
across the agency. Commission staff also uses the data in connection w ith tlie Commission's 
regulatory mission, including in examinations, investigations, and investor protection efforts. .As 
required by die Dodd-Frank Act, Commis.sion staff transmitted a report to Congress this past 
July on these uses. Use of the new Form PF data has been a helpful supplement to the staffs 
overall efforts to enhance monitoring of the investment advisory industry to identify trends and 
emerging risks. 

We recognize that the Dodd-Frank .Act mandates new registration and compliance 
responsibilities for many private fund advisers. As a result. Commission staff has sought to 
better understand and take into account private fund business models and the needs of private 
fund investors. During 20 1 3, Commission staff reviewed the .Advisers Act and its rules and 
provided guidance regarding their application to private fund advisers, including guidance to 
clarify: when an adviser to an audited private fund may itself maintain custody of private stock 
certificates instead of holding tlKin at a third party custodian;'’ when certain private fund 
investors are qualified clients under the .Advisers .Act:'’ and the application of the venture capital 
exemption in certain common scenarios.'’ 

In addition. Commission staff has launched an initiative to conduct focused, risk-based 
e.xams of newly registered private fund advisers. These “presence” examinations are shorter in 
duration and more streamlined Ilian typical examinations, and are designed both to engage with 
the new registrants to inform them of their obligations as registeied entities and to pemiit the 
Commission to examine a higher percentage of new registrants. The initiative includes 
examinations, outreach, and. where appropriate, written publications highlighting exam findings. 
SEC examination staff has identified five critical areas that are the focus of these examinations: 
(I) marketing; (2) portfolio management; (3) conflicts of interest; (4) safety of client assets; and 


“ See Amial Suiff Report Regardng the Use c^Data Collected from Prnxile Fund Systemic Risk Reports (July 25, 
2013), hllr mv.sec gov iK«sludies.20l3'lm-annuBlraxirl-072513.i)df . 

See Ibt Guidance Update, Prrvotefy Offered Securities under die Investment Adviser Act Custotfy Rule (August 
2013), him:' www'.sec.gov divisions investment guidance m-euidance-20l3-i:4 pdf . 

“ Sie Ibl Guidance Update, Status iff Certain Private Fund Investors as Quatified Clients (November 20 1 3), 
http : 'WWW sec gov divBioiK investment guidance im.euidance-2013. 10 pdf . 

See Ibi Guidance Update, Guidance on the Exemption for Advisers to Venture Capital Funds (December 2013), 
http: WWW sec gov divisions investment guidance im-guidance- 2013-13 pdf . 
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(5) valuation. As of early January 2014, staff had completed approximately 250 examinations of 
newly registered private fund advisers and had over 30 additional examinations underway. 


Whistleblower Program 

Pursuant to Section 922 of the Dodd-Frank Act the SEC established a whistleblower 
program to pay awards to eligible whistleblowers who voluntarily provide the agency with 
original information about a violation of the federal securities laws that leads to a successful SEC 
enforcement action in which over $1 million in sanctions is ordered. Tlie SEC’s Office of the 
Whistleblower, which administers tlie program, filed its third Annual Report to Congress on 
November 15, 2013,** As detailed in the .Annual Report, during FY 2013 the Commission 
received 3,238 tips from whistleblowers in the United States and 55 other countries. The high 
quality infomiation that we have been receiving from whistleblowers has. in many instances, 
allowed our investigative staff to work more efficiently and permitted us to better utilize agency 
resources. In addition, on September 30. 2013, the Commi.ssion made its largest whistleblower 
award to date under the program, awarding over $14 million to a whistleblower whose 
infomiation led to an SEC enforcement action that recovered substantial investor funds.'* We 
expect future payments to further increase the visibility and effectiveness of this important 
enforcement initiative. 


Over-the-f 'ounter Derivatives 

The Dodd-Frank Act established a new' oversight regime for the over-the-counter 
derivatives marketplace. Title VII of the Act requires the Commission to regulate “security- 
bailed swaps” and to write rules that address, among other things; mandatory clearing; trade 
reporting and trade execution; the operation of clearing agencies, trade data repositories, and 
trade execution facilities; capital, margin, and segregation requirements and business conduct 
standards for dealers and major market participants; and public transparency for transactional 
infomiation. Such roles are intended to achieve a number of goals, including: 

• Facilitating the centralized clearing of security-based swaps, whenever possible and 
appropriate, with the intent of reducing counterparty and systemic risk; 

• Increasing transparency for market participants and regulators in their efforts to monitor 
the market and. as appropriate, address risks to financial .stability; 

• Increasing security-based swap transaction disclosure; 


Annual Report on the Dodd-Frank IFhistleblower Program Fiscal Year 2013 (November 2013), 
htlD WWW sec gov about offices owbannual-report- 201 3. pdf . 

” See In iie Matter of Claim for Award, SEC Release No 34-70554 (September 30, 2013), 

http'iwww sec eovirules other 2013 34-70554 odf . and SEC Awards more than S14 Million to lYhistleblower, SEC 

Release No. 2013-209 (October 1, 2013X 

hap; w'ww.sec.eov/News/PiessReleaseiIletail'PressRelease.'13705398541S8 
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• Reducing counterparty and s>^eniic risk through capita!, margin and segregation 
requirements for non-bank dealers and major market participants; and 

• Addressing potential conflict of interest issues relating to security-based swaps. 

The Commission issued a sequencing policy statement in June 2012 describing, and 
requesting public comment on, the order in which it expects to require compliance by market 
participants with its final Title VII rules. Tlie policy statement is part of our overall 
commitment to making sure that market participants know what the “rules of the road” are 
before requiring compliance with those rules. The statement emphasizes that those subject to the 
new regulator)' requirements from these rules will be given adequate, but not excessive, time to 
come into compliance with them. As part of this commitment the Commission also has taken a 
number of steps to provide legal certainty and avoid unnecessary market disniption pending 
implementation of Title VII.’^ 

Consistent with this policy statement the Commission has proposed substantially all of 
the core rules required by Title Vlt proposed niles and interpretive guidance addressing the 
application of Title VII in the cross-border context, and adopted several key final rules and 
interpretations, b anticipation of additional final rulemakings, the Commission also last year 


Sue Release No. 34*37 177, StaiemenI of General Policy on the Sequencing of the Compliance Dates for Rules 
Applicable to Security-Based S-HOps (June 11, 20121 http://www.scc gov'rulcs/'policv '201 2'34-671 77.Ddf. 

These steps include guidance regarding which provisions in Title VII governing security-based swaps became 
curable as of the effective date of Title Vn, as well as temporary relief from several other provisions. See Release 
No. 34-64678, Temporary Exemptions and Other Temporary Relief Together with Information on Compliance 
Dates for New Provisions of the Securities Exchange Act of 1934 Applicable to Security-Based Swaps (June 1 5, 

201 l)t httD:.Vw^ww.sec.eov*'rule&''exorders''20] I <34-64678. pdf . 

In addition, the Commission has provided guidance regardii^ - and, where appropriate, interim exemptiems from - 
the various pre-Dodd-Frank provisions that otherwise would have applied to security-based swaps on the effective 
date. See Release No. 34-64795, Order Grmhng Temporary Exemptions under die Securities Exchange Act of 1 934 
in Connection with the Pending Revision of the Definition of "Security ” to Encompass Security-Based Snaps, and 
Request for Comment (July 1. 201 1). httD://sec.gov.'rules/'exorder&'201 l>34-6479.5.Ddf: Release No. 34-68864, Order 
Extending Temporary Exemptions under die Securities Exchange Act of 1934 in Connection with the Pending 
Revision of the Definition of "Security " to Encompass Security-Based Swaps and Request for Comment (February 
7, 201 3), ltttn://www.secgov/'rules'exordcrs/2013r'34-68864.Ddf: Release No. 33-923 1 , Exemptions for Security- 
Based Swaps (My 1, 201 11 httD://www.sec.gov.'rules.'interim.'201 f 33-9231. odf : and Release No. 33-9383, 
Extensitm of Exemptiems for Security-Based Swaps (January 29, 20 1 3). http://www.sec.gov/niles/interim, ^01333- 
9383-txlf. 

The Commission has also provided temporary relief for entities providing certain cleanng services for security- 
based swaps. See Release No. 34-64796, Order Pursuant to Section 36 of the Securities Exchange Act of 1 934 
Granting Temporary Exemptions from Clearing Agency Regi^ration Requirements under Section 1 7A(b) of the 
Exchange Act for Entities Provithng Certain Clearing Services for Security-Based Swaps (July 1 , 20 1 1 ). 
http 7sec.gov.^rules''e.xorders'2011 '34-64796.pdf 


7 


75 


reopened the comment periods for all of its proposals under Title VII. Continuing to complete 
Title VII rules is a priority for 2014.^ 

In implementing Title VTI, Commission staff has consulted regularly with staff of the 
Commodity Futures Trading Commission (“CFTC’X as well as the staffs of the Board of 
Governors of the Federal Reserve System (“Board”) and other federal financial regulators. We 
will continue to consult and coordinate with the CFTC to assure consistency and comparability 
to the e.xtent possible. The Commission staff also has been actively engaged in ongoing 
discussions with domestic and foreign regulators regarding the direction of international 
derivatives regulation and the Commission’s efforts to implement Title VII, including 
participation in tlie Financial Stability Board and tlie International Organization of Securities 
Commissions, and engaging in regulatory dialogues with other countries about our respective 
regulatory reform efforts. 

The Commission’s more recent efforts to implement Title VII are discussed below in 
more detail. 

Proposal of Rules Regarding the Application of Title VII in the Cross-Border Context 

Given the highly global nature of the derivatives market, the application of Title VII in 
the cros.s-border context is a key implementation issue. In May 2013, the Commission issued a 
comprehensive proposal regarding the application of Title VII to cross-border security-ba.sed 
swap transactions (the “Cross-Border Propo.sal”).^' The Cross-Border Proposal includes 
proposed roles and interpretive guidance that, among other things, would inform parties to a 
security-based swap transaction about which regulatory' requirements apply when their 
transaction occurs in part within and in part outside the United States. In addition, the Cross- 
Border Proposal provides proposed interpretive guidance regarding when a trading platform or 
clearing agency is required to register with the Commission. 

Under the Cross-Border Proposal, a party may have the ability to comply with 
Commission requirements in one or more areas covered by the Title VII roles by complying 
instead with some or all of the requirements of a foreign regulatory' regime, provided that those 
requirements have been detennined by the Commission to achieve comparable regulatory' 
outcomes. The Cross-Border Proposal refers to this approach as “substituted compliance.” 
Under substituted compliance, a foreign market participant would be permitted to comply with 
the requirements imposed by its own home country, so long as those requirements achieve 
regulatory outcomes comparable with the regulatory outcomes of the relevant provisions of Title 
VII, as detennined by the Commission. If tlie home country does not have requirements that 


“ See Release No. 34-69491 . Reopening of Commeni Periods for Certain Rulemakmg Releases and Policy 
Siatement Applicable to Security-Based Swaps Proposed Pursuant to the Securities Exchange Act of 1934 and the 
Dodd-Frank Wall Street Reform and Consumer Protection Act (May 1 . 20 1 3), 
haD ' a-wa-secaor lules-DTODOsed 201334-69491 pdf 

” See Release No. 3469490, Cross-Border Securit}'-Based Swap Activities; Re-Proposal of Regulation SBSi and 
Certain Rules and Forms Relating to die Registration of Security-Based Swap Dealers and Major Security-Based 
Swap Participants (May 1, 2013X Imp see gov tales nroixweO 2n 1 : 34-<!Xi i7 1 ixlf 
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achieve comparable regulator}' outcomes, substituted compliance would not be permitted and the 
foreign entity would be required to comply with tlie applicable U.S. requirements. 

The Commission is actively review ing public input on the Cross*Border Proposal, as 
well as public comment we have received on other Title proposals, including in response to 
the reopening of the comment periods on those proposals. In addition, we are considering the 
final cross-border guidance approved by the CFTC on July 12. 2013, public comment on that 
guidance, and subsequent developments, including a pending legal challenge, related to that 
guidance. 

Adoption cf Key Definitional Rules 

In July 20IZ the Commission adopted fmal niles and interpretations jointly with the 
CFTC regarding key product definitions under Title VH.^ This effort follows the Commission s 
work on the entity definition rules, w hich the Commission adopted jointly w itli the CFTC in 
.April 2012.^ The completion of these joint rulemakings was a foundational step toward the 
complete implementation of Title VII. 

.Although foundational, these final rules did not trigger compliance with the other rules 
tlie Commission is adopting under Title VH. Instead, the compliance dates applicable to each 
final rule will be set forth in the adopting release for the applicable rule in order to better pro\nde 
for an orderly implementation of the various Title VII rules. 

Next Steps for Implementation of Title VJl 

The Commission staff continues to w ork to develop recommendations for final rules 
required by Title MI that have been proposed but not yet adopted. These final rules will address: 

• Application of Title VH in the cross-border context; 

• Regulators' reporting and post-trade public trajisparency;'^ 


** See Release No. 33*9338, Fur^r Definition of “Swap,” “Secunfy’Based Swap, "and “Seanity-Based Swap 
.4^reement": Maced Swaps: Seevniy-Based SMop Agreement ReconSceepmg (July 18, 2012) 
http WWW sec aov rules final 2<>l 2. '33-9.338 txlf 

® See Release No. iA^i6i,FurdierDefimtionof"SwapDeakr.'’ “SecuritV'Based Swap Dealer," "Major Swap 
FarUcipant , " "Major Securi^'-Based Swap Partidpant ” and "Eligible Contract Partidpant" (April 27, ^1 2) 
http u-ww sec gov rules final 21112 .^4-66868 pdf also Memorandum from the Division of Wsk. Strategy, and 

Financial Innovaticm, Iifomation regarding activities and positions of partidpants in the single-name credit default 
swap maHcel (March 1 5, 2012) http www sec gov commCTtss7*39-li>s73910*154 pdf (analvang the level of 
trading activity and positions in the credit default swap market to assist the Commission in evaluating the impact of 
alternative approaches to implementing de minimis exceptions to ceitam deftniuons) 

“ See Release No. 34*63346, Regulation SB3(— Reporting and Dissemmation of Security-Based Swap Information 
(November 19, 2010X http www.sec eov mics proposed 2010 34-63346 pdf: and Release No. 34*63347, Security- 
Based Swap Data Repository Registration. Duties mdCon PrindplesOiwmhtT 19, 2010X 
http WWW sec gov riiles proposed2010 34-63347pdf . In 2013. the Commission re-proposed Regulation SBSR 
See Release No. 34-69490. Cross-Border Security-Based Swap AcUvities; Re-Propo^ ^ Regulahon SBSR and 
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• SccuritV'basc'd swap dealers aiid major security^based swap participant requirements:^^ 

• Mandator) clearing and trade execution, and die regulation of clearing agencies and 
security*based swap execution facilities:^ and 

• Enforcement and market integrity.^’ 

As indicated in the Cross-Border Proposal, the Commission is likely to consider certain 
of the issues presented in that proposal in an initial cross-border adopting release. Under such an 
approach, this initial cross-border adopting release would likely focnis on adopting key 
definitions relevant to the application of Title VII in the cros.s-border context: other matters 
raised by the Cross-Border Proposal would be addressed in subsequent releases. Such an 
approach would allow the Commission to consider die cross-border application of the 
substantive requirements imposed by Title VII in conjunction with the final rules that will 
implement those substantive requirements. 

In addition. I ex'pect that die Commission in the short term will consider rules relating to 
recordkeeping and reporting requirements for security-based swap dealers and major security- 
based swap participants. I also expect that the Commission will consider the application of 


Certain Rules and Forms Relating to the Repsiration of Seainty-BasedSwap Dealers and Major Securiiy-Based 
Swap PartKipants (May 1, 2013). http ^w w sec gov 'ml<»'proposcd 2013 34-69490.r^^ and Release No. 34- 
69491. 

^ See Release No. 34-65543, Registration ofSecunty-Based Sn ap Dealers and Mt^orSeemty’Bosed Snap 

Porticipfln/i (October 12, 20U), http: wwwsec gov Tulcs proposed2011 34-65543 pdf . Release No. 34-68071, 

Capitol Margin, and Segregation Requirements for Security-Based S'^ap Dealers and Major Secunty-Based Swip 

Pardapants andCapitid Requirements for Broker-DealersiOdcba 18, 2012X 

httn vivrK sec eov niles nroposed 2o 1 234-6807 1 ndf Release No. 34-64766. Business Conduct Standards for 

Secunfy'-BasedSwapsDeakrandMqjor Security-Based Swap Participants {J\int29,‘2G\ )X 

hno wvrt; sec eov rules proposed 2<.)1 1 34-64766 tdf. and Release No. 34-63727, Trade AcknoMei^ent and 

I'erification on Security-Based Snap Transactions (January 14, 201 IX hao 7^-ww sec.eox- nijesoroposed^iOl 1 34- 

^3?27M . 

“ See Release No. y4-6iSS6, End-User Exception cfMandatory Clearing of Security-Based Snaps (Peembet 15, 
2010), httP: ' wwu:sec p)v/rule& fytyosed201O'34-635^^ Please No. 34-63107. Onner^ip imitations and 
Goverrumce Requirements for Security-Based Snap Cleanr^ Agenaes. Secunty-Based Snap Execution Facilities, 
and S^atimal Securities Exidianges wdi Respect So Security-Based Swaps under Regulation A/C (October 1 4, 201 OX 
htlp wvrw sec eov nilcs proposed 20 10 34-63 107 pdf: a nd Registration ondRegulation if Securil}'-Based Snap 
Execution Facilities (Februaiy 2, 201 IX hap: ^-ww.sec.ecyv rules Tyoposcd201 1 34-63825.pdf 

In March 2012, the Comnussion adopted rules providing exemptions under the Securities Act of 1933 f'Secunties 
Act"^ the Securities Exchai^e Act of 1 934 (“^change Act“). and the Trust Indenture Act of 1 939 for security- 
based swaps transactions involving certain clearing agencies sabs^ir^ certam conditions See Release No. 33-930$, 
Exemptions for Security-Based Swaps Issued by Certam Clearing Agencies (March 30, 201 2), 
hUP. ^w sec.eov Wes final 

^ See Release No. 34-63236. Prtfodiition Against Fraud, Mmipuladon, and Deception in Connection with 
Security-Based Jn-aps (November 3, 2010), htP .ti.ww scc.gQv rul^^^ 
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mandaton clearing requirements to single-name credit default swaps, starting with those that 
were first cleared prior to tlte enactment of the Dodd-Frank Act. 


Clearing .\gencie$ 

Title VIII of the Dodd-Frank Act provides for increased regulation of financial market 
utilities'^ (“FMUs"') and financial institutions lliat engage in pavment, clearing, and settlement 
activities designated as sN'stcmically important. The purpose of Title VIII is to mitigate systemic 
risk in the financial sNstem and promote financial stability. In addition. Title MI of the Dodd- 
Frank Act requires, among other things, that an entity acting as a clearing agency u ith respect to 
security-based swaps register with the Commission and that the Commission adopt rules with 
respect to clearing agencies that clear security-based swaps. 

Adoption cff Clearing Agency Standards 

To furtlier these objectives and promote the integrilv' of clearing agency operations and 
governance, the Commission adopted rules in October 2012 requiring all registered clearing 
agencies to maintain certain standards with respect to risk management and certain operational 
matters.^ The rules also contain specific requirements for clearing agencies that perform central 
counterparty ser\'ices, such as provisions governing credit exposures and the financial resources 
of the clearing agency. 'Hie rules also establish recordkeeping and financial disclosure 
requirements for all re^stered clearing agencies. 

These rules benefited from consultations between the Commission staff' and staffs of tlie 
CPTC and tlie Board, and take into consideration international standards. I'he requirements are 
designed to further strengthen the Commission’s oversight of securities clearing agencies, 
promote consistenc)' in the regulation of clearing organizations generally, and thereby help to 
ensure that clearing agency regulation reduces s>'stemic risk in the financial markets. 

Syslemically Important Cleanng Agencies 

Under Title \TII. FSOC is authorized to designate an FML' as s^stemically important if 
tlie failure or a disruption to the functioning of the FMU could create or increase tlie risk of 
significant liquidity or credit problems spreading among financial institutions or markets and 
thereby threaten the stability of tlie U.S. financial s\stem. SEC staff participates in the 
interagency committee established by FSCX to develop a framework for the designation of 


^ Section 803(6) of the Dodd-Frank Act defines a financial market utility as ‘*ai^ person that manages or operates a 
multilateral s^-siem for the purpose of transferring, clearing, or sealing payrnems, secirities, other Hnancial 
transactions among financial institutions or between financial uistitutions and the person ” 

® See Release No. 34-68080, Clearing jigency Siandants (October 22, 20I2X 
hgp/wwsec_flOv/nde& final 201234-^ 
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systeniically important FMUs. In July 2012, FSOC designated six clearing agencies registered 
with the Commission as systemically important FMUs under Title VTIl.’'’ 

Title VIII also provides a framework for an enhanced supers isoty regime for designated 
FMUs, including oversight in consultation with the Board and FSOC. The Commission is 
e.xpected to consider regulations containing risk management standards for the designated FMUs 
it supcr\'ises. taking into consideration relevant international standards and existing prudential 
requirements for such FMUs.*' Tlie Commission also is required to e.xamine such FMUs 
annually, and to consider certain advance notices identifying changes to its rules, procedures, or 
operations that could materially affect the nature or level of risks presented by the FMU in 
consultation with the Board.** 

In June 2012, tlie Commission adopted rules tliat establish procedures for how it will 
address advance notices front the FMUs,** and it has since considered a significant number of 
such notices.** Commission staff also has completed the first series of annual examinations of 
the designated FMUs for which it acts as supervisory agency and recently initiated the second 
series of annual examinations. 


Credit Rating .\gencies 

The Dodd-Frank Act requires the Commission to undertake a number of rulemakings 
related to NRSROs. The Commission began the process of implementing these mandates with 
the adoption of a new rule in January 2011** requiring NRSROs to provide a description of the 

Clearing agencies that have been designated systemically important are Chic^o Mercantile Exchange, Inc , The 
Depository Trust Company, Fixed Income Clearing Coqxxation, ICE Gear Credit LLC, National Securities 
Gearing Corporation, and The Optimis Gearing Corporation. 

” See § 805(aX2) of ihe Dodd-Frank Act. Commisston staff also worked jointly with the staffs of the CFTC and 
the Board to submit a report required under Ihe Dodd-Frank Act to Congress in July 201 1 discussing 
recommendations regardii^ risk management supeivisicm of clearii^ entities that are DFMUs Risk Management 
Supervision of Designated Clearing Entities, Report by the Commission, Board and CFTC to the Senate Committees 
on Banking, Housing, and Urban Affairs and Apiculture m fulfillment of Section 813 of Title Vin of Ihe Dodd- 
Frank Act (July 201 1 X htlD /iW-ww sec aov newsstudiesCul I '8l3sludv.iidf 

See § 80d(eX4) of the Dodd-Frank Act. 

” See Release No. 34-67286, Process for Submissions for Reeiev of Security-Based Swaps for Mandatory 
Clearing and Notice Fibng Requirements for Clearing Agencies; Technical Amendments to Rule l9b-4 and Form 
l9b-4 Applicable to All Self-Regulatory Organizations (June 28, 201 2X httn . w-ww sec eov/nile.s final -01 2 .34- 
67286 ndf 

” Advance notices are published on the Commission website at him www sec eov rules sro shlml - 

" See Release No. 33-9175, Disclosure for Asset-Backed Securities Required by Section 943 of die Dodd-Frank 
Wall Street Reform and Consumer Proteebon Act (January 20, 201 IX http ^www.sec.eov'nilesrfinalCOl 1.33- 
9175 pdf . In addition, pursuant to Section 939B of the Act, the Commission issued an amendment to Regulation FD 
to remove Ihe specific e.xemption from the rule for disclosures made to NTISROs and credit rating agencies for the 
purpose of determining or monitoring credit ratings. See Release No. 33-91 46, Removal from Regulation FD of the 
Exempbon for Credit Rating Agencies (September 29, 2010X him //www.sec.eov.'rules'final 2010 .J3-9l46.pdf 
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representations, N\aiTanties, and enforcement mechanisms available to investors in an offering of 
asset-backed securities, including how they differ from those of similar offerings. In May 2011. 
tlie Commission proposed a series of rules to further implement the NRSRO provisions of the 
Dodd-Frank Acv^ which would require NRSROs to: (1) report on internal controls; (2) protect 
against potential conflicts of interest: (3) est^lish professional standards for credit anaKsts; (4) 
publicly provide - along with the publication of the credit rating - disclosure about the credit 
rating and tlte methodology used to determine it: ajid (5) enhance their public disclosures about 
the performance of their credit ratings. I expect that the Commission will consider final rules in 
the near future. 

Additionally, tltc Dodd-Frank Act requires each federal ageiic)'. to the extent applicable, 
to review its regulations that require use of credit ratings as an assessment of the credit- 
worthiness of a security, remove tlrese references, and replace them ith appropriate standards of 
credit-worthiness. Tlie Commission has adopted fmal amendments dial remove references to 
credit ratings from most of its rules and forms that contained such references. iiKluding rules 
adopted in December 2013 removing references to credit ratings in certain provisions applicable 
to investment companies and broker-dealers.’’ In the short term. I expect that the Commission 
will vote on new requirements to replace the credit rating references in shelf eligibility criteria 
for asset-backed security issuers with new shelf eligibility criteria. 

The Dodd-Frank .Act also mandated three studies relating to credit rating agencies: (1) a 
study on die feasibilit)' and desirability of standardizing credit rating terminology, which was 
published in September 2012;” (2) a study on alternative compensation models for rating 
structured finance products, which was published in December 2012;’^ and (3) a study on 
N'RSRO independence, which was published in November 2013.^ In response to the study on 


^ S^e Release No. 34^51 4. Proposed RuUs for Nationally Recognized Statistical Rating Organiutions (May 1 8, 
201 IX htto ' wm-sec.gov.rdc&DroDOsed'20ir34^.M4[xif . 

^ See Release No. 34-60789. References to Ratings of Nationally Recogntied Statistical Rating Orgamations, 
(October 5, 2009) (pre Dodd-Frank Act adopting amendments to remove references to credit ratings in certain 
Commission roles) htto: ' wm'w sec eov ruks final 2t io9 34-60789 odf . Release No. 33-9245, Security Ratings, (July 
27. 20) 1) (post Dodd-Frank Act adq>Ung amendmerts to remove references to credit ratings m certain Cemmission 
roles) ItttD.'Www sec.gov roles final 201 1 33-9245 odf : Release No 33-9506. Remoml of Certain References to 
CretSt Ratir^s Under dK Investment Compco^’ Act, (December 27, 2013) (post Dodd-Frmk Act adofiing 
amendments to remove references to aedit raungs in certain Commission rules). 

http H-wts' sec.gov roles tinal20l3 33-9506 pdf . Release No. 34-71 194, Removal of CerUan References to CreAt 
Ratings Under ^e Securities Exchange Act of 1 934, (December 27, 2013) (post fXxld-Frank Act adopting 
amendments to remove references to credit ratings in certain Commission RulesX 
hap ^•WTiVseC|tovrolesfinal20l334-71194pdf 

^ CreAt Rating SlandarAzation Study (September ^1 2X 

http. vww^' sec eov ne^'s studies 2i)l29.19h credit rating standadization odf 

” Report to Congress on AssipiedCreAtRaPngs (December 2012X 
hnp, ww sec_gQV news studies :i>12 assigncd-aedfl-ratings-st^ 

* Report to Congress on CreAt Rating Agency Independence Study (No^'ember 20 1 3X 
hap/w-w\s\sec,gQVDevmstudies2013credit-rating-agenc\-mdeDendcMe-studv-2^ 
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atlemative compensation models for rating structured finance products, tlie Commission held a 
public roundtable in .May 2013 to imite discussion regarding, among other things, the courses of 
action discussed in the report. The stafThas considered (he various viewpoints presented during 
discussion at the roundtable, as well as in the related public comment letters, and I expect that they 
will be presenting to the Commission a recommendation for its consideration. 

.As required by the Dodd^Frank .Act, the Commission established an Office of Credit 
Ratings (''OCR'’) charged with administering the rules of the Commission with respect to 
XRSROs. promoting accuracy in credit ratings issued by NRSROs. and helping to ensure that 
credit ratings are not unduly influenced by conflicts of interest and NRSROs provide greater 
disclosure to investors.^* The Dodd-Frank .Act requires OCR to conduct examinations of each 
NRSRO at least annually and the Commission to make available to the public an annual report 
summarizing the essential exam findings. The third annual report of the staff s examinations 
w as published in December 2013.^' The staff will continue to focus on completing the annual 
examinations of each NRSRO. including follow -up from prior examinations, to promote 
compliance with statutory and Commission requirements. OCR also has established “colleges” 
of regulators to provide a frameivork for information exchange and collaboration w itli foreign 
counterparts regarding large, globally-aclive credit rating agencies. The first meetings oftlie 
colleges were held in November 2013. 


Asset-Backed Securities 

The Commission has made significant progress in implementing the prorisions of the 
Dodd-Frank Act related to asset-backed securities ("ABS”). The Commission is working with 
other regulators to jointly develop the risk retention rules required by Section 941 of the .Act 
w hich w ill address the appropriate amount, form, and duration of required risk retention for ABS 
securitizers. In March 2011, the Commission joined its fellow re^lalors in issuing for public 
comment proposed risk retention niles to implement Section 941. *'' We carefully considered the 


OCR'sscopeforNRSROexaminauonsincludesalleightareasrequiredbytheDodd-FrankAct OCRcorxbicts 
annual, ndc-based exanmations of all registered NRSROs to assess and pixmiote compliance wth laatutory and 
Comnussion requirements, monitors the activities of NRSROs, and provides guidance with respect to the 
Commission's pcdicy and regulatory initiatives related to N'RSROs. OGl also conducts special hsk-targeted 
examinations based on credit market issues and concerns and to follow up on tips, complaints, and NRSRO self- 
reported incidents 

2013 Summary Report of Comtmsston Staffs Examinaiions of Each Sationaify Recogrtized Statistical Rating 
Organisation (December 2013). httn uvvw sec gov news studiesC0l.3'nrsrD-!aimmafN-renon-20I.VDdf 

^ See Supet\'isoty Colleges for Credit Rating Agencies - Final Report (July 20 1 3X 
http viww IOSCO ontlibfarvanibdocs;ixlf10SrOPD4I6,ixlf 

** See Release No. 34-64148. CrerSi Risk Retention (March 30, 201 1), littP:/wTrwsecgON' rdes proposed 
64148.pdf. Section 941 of the Act generally requires the Commission, die Board, the Federal Deposit Insurance 
Corporation, the Oflice of the Comptroller of the Currency and. in the case of the securitization of any "residential 
mortgage asset,” the Federal Housing Finance AgerKy and Department of Housii^ and Urban Developmeni, to 
jointly prescribe regulations that require a secuntizer to retain not less than five pcrceitt of the credit risk of any asset 
that the secuntizer, throu^ the issuance of an ABS, transfers, sells, or conveys to a third par^ It also provides that 
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nianycontnteiits received on tlie ori^nal proposal and engaged in furtlier anal\'sis of the 
securitization and lending markets/' ultimately re-proposing the credit risk retention rules with 
several important modifications in August 2013.^ 

As under the original proposal, a sponsor generally would be permitted under the re- 
proposal to satisfy its risk retention requirement by choosing from a menu of options desired to 
provide flexibility while also ensuring tliat sponsors actually retain credit risk. TIte re-proposed 
rules would signiflcanth' increase the degree of flexibility that sponsors would have to meet the 
risk retention requirements. The re-proposed rules also include exemptions from risk retention 
for certain resecuritizations, seasoned loans, and certain types of securitization transactions with 
low credit risk. .Also, as required by Section 941. the re-proposal provides an exemption from 
the risk retention requirements for .ABS collateralized solely by qualified residential mortgages 
(“QRMs”). The re-proposal would equate the QRM definition to the definition of qualified 
mortgage (‘"QM”) adopted by tlie Consumer Financial Protection Bureau,'* *^ but also requests 
comment on an alternative approach to QRM that would add a 70^o loan-to-value requirement 
and certain credit history-related factors."^ The staff currently is considering the numerous 
comments received on the re-proposal and working with the other agencies* staff to move 
fo^^vard with appropriate recommendations for a final rule. 

In addition, in .August 2011. the Commission adopted rules in connection with Section 
942(a) of the Act, which eliminated the automatic suspension of the duly to file imports under 
Section 1 5(d) of the Exchange Act for .ABS issuers and granted the Commission authority to 
issue rules providing for the suspension or termination of this duty to file reports. The new rules 
permit suspension of the reporting obligations for .ABS issuers when there are no longer asset- 
backed securities of the class sold in a registered transaction held by non-affiliates of the 
depositor.**’ I expect tliat in the short term the Commission will consider new requirements for 
enhanced disclosures for ABS. including requiring standardized asset-level data for certain asset 


the jointly prescribed regulations must prohibit a securiti^r from directly or indirectly hedgir^ or other^'ise 
transfemng the credit risk that the securitizer is required to retain See I5U.S.C §7^n(cXlXA) 

See, eg.. Division of Economic and Ri^ Analysis White Paper. Qualified Residential. Mortgage: Background 
DataAnafysis on Credit Rude Retention (Ai^ust 2013) (analyzu^ serious delinquencies among ncm-GSE secuntized 
mortgages in order to address public comment and to aid in the understanding of potential ecrmomic effects related 
to the dcfinitkm of QRM). hno. ww^secgovdivtsion&riskfin\v‘hiteDaDcrsqrm-analvsis-OS-2013.Ddf . 

^ See Release No. 33-34-70277, Credit Risk Retention (August 28, 201 3X 
hap sec gov''mles'PfDDosed'201 3 34-70277 pdf . 

^ See 78 FR 6407 (January 30. 2013). as amended by 78 FR 35429 (June 12, 2013) and 78 FR 44686 (July 24. 
2013). 

* This credit overlay is designed to ^o.Kunate a 690 FICO serve without building into the rule reliance on a 
pnvate credit ratii^ 

^ See Release No. 34-65 1 48. Suspension of die Duly to File Reports for Classes <f Asset-Backed Securities under 
Section lS(d) of die Seainftes Exchange Act of 1934 (Ai^ust 1 7. 201 IX http www sec gov rules final 2< il I .^4- 
65148 Pdf 
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classes. If adopted, the new requirements would implement Section 942(b) of the .Act. which 
requires the Commission to adopt regulations to require asset-te\'el information. 

In Januar>' 2011, the Commission also adopted rules on the use of representations and 
warranties in the market for .\BS as required by the Act's Section 943.^® The rules require .ABS 
issuers to disclose the histor>' of repurchase requests received and repurchases made relating to 
tlieir outstaitding .ABS. and these disclosure filing commenced in Februarv- 2012. The 
disclosure requirements apply to issuers of registered and unregistered .ABS. including municipal 
.ABS. The Commission also adopted rules in Januarv' 201 1 to implement Section 945 of the 
Dodd'Frank Act, which required an ass^-backed issuer transaction registered under the 
Securities .Act to perform a review of the assets underlNing the .ABS and disclose tlie nature of 
such review.^* Under the final rules, the t>pe of review conducted may vary, but at a minimum 
must be designed and effected to pro\ ide reasonable assurance that the prospectus disclosure 
about tile assets is accurate in all material respects. 

In September 201 1. the Commission proposed a rule to implement Section 621 of the 
Act which prohibited entities that create and distribute ABS from engaging in transactions that 
involve or result in material conflicts of interest with respect to the investors in such .ABS.” The 
proposed rule would prohibit underwrites and other "securitization participants'’ from engaging 
in such transactions w ith respect to both non-s\nthetic and synthetic asset-backed securities, 
whether in a registered or unregistered offering. The proposal is not intended to prohibit 
legitimate securitization activities, «tnd the Commission asked questions in the release to help 
strike the appropriate balance. The Commission recei\ed a number of comments on the 
proposal, and the stafl'is carefully considering those comments in preparing its recommendation 
to the Commission. 


Investment Advisen and Broker-Dealers' Standards of Conduct 

In Januaiy 20 1 1, the Commission submitted to Congress a staff study required by Section 
913 of the Dodd-Frank .Act (the “LA BD Study"), which addressed the obligations of investment 
advisers and broker-dealers w hen proriding personalized investment advice about securities to 
retail customers. Tlie lA BD Study made two primary recommendations: that the Commission 


* Sfc Release No. 33-91 75, Dixlosure for.isxt-Bachid SeairitKs Required by Section Wofdte Dodd-Frank 
Wall Street Reform and Consumer Proteeden Act (January 20, 201 IX hao wwm' sec govrules final'201 1 '33- 
9175Ddr 

” See Release No. 33-9176, IssaerReeiew of Assets w Offerings of Asset-Backed Securities (January 20, 201 1), 
hCD WWW secMV/rulesfinal 201 1 33-9l76 pdf 

” See Release No. 34-65355, Prohibition (gainst Conflicts of Interest in Certain Securifiuitions (September 19, 
201 1). hno wwu-.sec.gov/nilc&'DfOPosed’201 1 34-65355.Ddf. 

® See Stutfy on Investment Advisers and Broker-Dealers (January 201 1 ), 

hnp sec gov ne^'s studies 201 1 '913stud\ final pdf: see alx Stalemenl by SEC Commissioners Kathleen L. 
Casey and Troy A Paredes Regarding Stud)' on Investment Advisers and Broko’-Dealers (January 21, 201 IX 
http WWW sec gov Tier's speech 201 1 spch012211klctaDhtm 
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(1) exercise Ihe discretionary' rulemaking authority provided by Section 913 of tlie Dodd-Frank 
Act to implement a uniform fiduciary standard of conduct for broker-dealers and investment 
advisers when they are providing personalized insestment advice about securities to retail 
investors; and (2) consider harmonization of broker*dealer and investment adx iser regulation 
when broker*deaters and investment advisers provide the same or substantially similar services 
to retail investors and when such harmonization adds meaningfully to investor protection. 

Shortly before 1 joined the Commission, the Commission issued a public Request for 
Data and Other Information (the “Request*') specific to the provision of retail investment advice 
and regulator)' alternatives.^'* The Commission sought, among other things, information relating 
to the potential impacts a uniform fiduciar) standard of conduct, or other regulator) approaches, 
may have on retail customer costs and access to personalized investment advice and product and 
service offerings, and how such negative impacts could be mitigated. 

Serious consideration is being given to the lA/BD Study 's recommendations, the views 
of investors and other interested market participants, potential economic and market impacts, and 
the information we received in response to the Request in deciding w hether, and if so. how . to 
exercise our rulemaking authority. Hie Commission staff is also coordinating w ith, and 
providing our expertise to, Department of Ubor staff as they consider potential changes to the 
definition of “fiduciary*’ under the Employee Retirement Income Security Act. I have prioritized 
the stafi" s consideration of tliese inputs and the substantial is.sues to be decided. 


\'olcker Rule 

On December 10, 2013, the Commission joined the Board, tlie Federal Deposit Insurance 
Corporation ("FDIC‘’X the Office of the Comptroller of the Currency (“OCC*’) (collectively, the 
“Federal banking agencies"), and the CFTC in adopting the same rule under the Bank Holding 
Company Act to implement Section 619 of the Dodd-Frank Act. generally referred to as the 
“Volcker Rule.”** 

To create tlie final rule, staffs from each of the five agencies engaged in a wide-ranging 
and extensiv e process to address issues and develop approaches related to effective 


^ S^eRequestfor Data and Other Infomatiai: DtihesofBrokerxDiaknmdInvestmitUAdnxrs(^{!ac)\]. 
2013), hap ww.sec■gc^v^rlde&^olhcf/2Q13 '34-69013.^ ^ 

See Release No. BHC A-I . Prohibitions and Restrictions on Proprietary Trading and Certain Interests in. and 
Relationships ff’rrfi. Hedge Funds and Private Equity Futds (December 10, 201 3X 

http wvvwsecttov rule& final 2013 bhca-l odf TheCommodit>'FitturesTradingCommBsiOT("CFTC")adopted 
the same common mle on the same date See 

hpp WWW cftc gov ucm groupsTxibk '^newsroom documents file federalfegtsierl2loi3 pdf . On January 1 4, 
2014, the Commission, tc^etber with the federal banking ^enciesand the CFTC, ^oved a coropsiion interim 
final ruk that peimits banking ernilies to retain interests ui ccrtaui collateralized debt obligations backed primarily 
trust preferred secunties See Release No. BHCA-2, Treatment of Certain Collateralized Debt Obbgatkms 
Boded Phmaiify by Trust Preferred Securities widt Regard to Prdiibitions ondRestrichons on Certain Interests in. 
andRelationdipsvidt, Hedge Funds and Private Equi^ Funds Qm. I7,20]4X 
hno: wm «c toy njl« imcnin M14 blica.2 pdf 
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implementation of the statute. Ihe Commission, like the other agencies, received and reviewed 
thousands of comment letters on the statutorv' mandate and the proposed rules that the Federal 
banking agencies and SEC jointly published to implement the Volcker Rule.^ The comments 
covered a wide spectrum of issues, w ith man>’ expressing concern about potential negative 
impacts on market liquidity as well as evasion concerns. The Commission, together with the 
other agencies, responded to these comments by crafting a rule that both reduces the potential 
impacts on market liquidity while also addressing coiKents about proprietar>' trading through a 
robust compliance program. 

Consistent with Section 619 and the interagency proposal, the final rule generally 
prohibits “banking entities*’ - including bank-affiliated. SEC-registered broker-dealers, security- 
based swap dealers, and investment advisers - from engaging as principal for their own trading 
accounts by taking positions in various securities and instruments for the purpose of selling in 
the near term or other^vise with the intent to resell in order to profit from short term price 
movements.^^ At the same time, the statute and final rule preserve certain essential financial 
services such as market making and underwriting, which are necessarv' for raising capita] and the 
healthy functioning of the U.S. financial system, including our securities markets. Consistent 
with the statute, the final rule does not, however, allow for these specified pemiitted activities if 
they involve material conflicts of interest or tJie employment of high-risk assets or trading 
strategies, or if they threaten the safety and soundness of banking institutions or U.S. financial 
stability. 

Tlie final rule takes a measured but robust approach to implementing the statutory' 
exemptions from the prohibition on proprietary' trading for market making and 
underwriting. This approach benellted from a consideration of commenter views on potential 
economic impacts, particularly with respect to liquidity in off-exchange markets, while 
preserving an appropriate separation between prohibited proprietary trading and activities 
permitted by the statute, and taking meaningful steps to prevent evasion. 

The final rule also implements the statutory provisions limiting the ability of banking 
entities to sponsor or invest in hedge funds and private equity funds. The Dodd-Frank .Act 
defined a “hedge fund " and “private equity fund" by reference to tlie re^latory exemptions 


** See Release No. J4-65545. ProhS>itms and Restrictions on Proprietary Trading and Certain Interests in. and 
Relati(mAips H'iA, Hedge Fwub andPrivate Equi^' Funds (Octoba 12, 201 IX 

hap wvrti sec aov niles proposed 201 1 34-65545 cdf . The CFTC issued a subsiaiilially similar proposal in January 
2012, which was pidilished m the Federal Register in Fekuary 2012. ^ 77 FR 8332 (February 14. 2012), 
hltp;'/wwwcfk£QvUwRcgulatiQnFcdcralRcgistcrT^(»05edRd^ 

^ Section 619 defines “banking entity" as any insured depository instiumon (other than cemin limited purpose trust 
irKtitutionsX any company that controls an insured depository instituti<m, any company that is irealed as a bank 
holding company for purposes of section 8 of the International Banking .Act of 1978 (i.e., a forc^ entity with a 
branch, agency, or subsidiary baric operation in the U.S.X and anv' affiliate or subsidiary* of any of the foregoing 
entities .See I2U.$.C I851(hXI). As set forth in the Dodd-Frank Act, the Commission's final rule applies to 
banking entities for which the Commission is the primary financial regulatory agency, including, amor^ others, 
ceitam SEC-registered broker-dealers, investment advisers, and security-based swap dealers 
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under the securities law^ commonly used by such funds. ^ The proposal carried forward this 
definition of a '‘covered fund.*' and included in the definition certain commodity pools and 
foreign funds. 

Responding to extensive comments received, the final nile refines the definition of a 
“covered fund." making clear that certain entities (e.g., entities used for general corporate - 
ratlier titan int^estment - purposes; mutual funds and certain foreign funds publicly offered 
abroad) that should not )M‘esent the same risks as tlie covered funds targeted by the statute are 
excluded. The final rule also takes a tailored approach witlt respect to foreign funds and 
commodity pools, and provides an exclusion for loan securitizations to implement the statutory' 
provision regarding the “sale and securitization of loans" by banking entities. 

As with any regulatory initiative of this scope and complexity, the final rule demands 
close attention to die nature and pace of implementation, particularly with respect to smaller 
banking entities. The final rule’s reporting and compliance program requirements are already 
focusing both the regulator)' agencies and firms on implementation. The staged implementation 
of the required reporting of quantitative trading data will facilitate reporting that is appropriate 
for the size of the banking entit>''s trading activities, and allow the agencies to review the merits 
of the data collected and reWse the data collection as appropriate. The threshold for reporting 
also has been adjusted to help ensure that it will be focused on the largest trading firms. 
Similarly, the compliance program requirements in the final nile are tiered based on the 
consolidated size of a firm or its trading activities, and the schedule for compliance will be 
phased in over time, in order to reduce unnecessary burdens and costs witliout compromising the 
objectives of the rule. 

Consistent with our e.xperience in other rulemakings, we expect a continued need for 
guidance regarding questions tliat will arise as market participants seek to comply with the final 
rule. We must be alert to both unintended impacts and regulatory loopholes as we move 
forward. The collaborative relationships among the agencies that deieloped during the 
rulemaking process are carrying fonvard and already are supporting joint and coordinated 
guidance, such as the recent interim final rule Issued by the agencies with respect to tlie 
treatment of certain collateralized debt obligations backed by trust-preferred securities. 

The agencies have formed an interagency working ^oup that will meet regularly to 
discuss implementation of the final rule. This interagency group will be instrumental in 
coordinating the agencies' interpretations and implementation of the final rule on a going- 
forward basis. The working group's first meeting occurred on Jaiiuaiy' 23 of this year, and the 
group plans to convene again later this w eek. .\mong other things, the group discussed potential 
methods of coordinating responses to interpretive questions and approaches to supervising and 
examining banking entities. Such collaboration should carry forvvard not just in implementing 
the rule, but also in coordinating the compliance and enforcement of the rule. 


^ Seclkm 619 of the Dodd-Frank .Act defines the terms “hedge fund*^ and “private equity fund" to mean an issuer 
that would be an investmeit company, but for section 3(cXl) or 3(c)(7) of the Investment Company /\ct, or “such 
similar funds” as the agencie.<: detennine by rule 
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Broker-Dealer Audit Requirements 

Tlie Dodd'Frank Act provided the Public Company Accounting Oversight Board 
(“PCAOB”) with explicit authority, among otlier things, to establish, subject to Commission 
approval, auditing standards for broker-dealer audits filed with the Commission. In August 
2013, the Commission amended the broker-dealer fuiancial reporting nile to require that broker- 
dealer audits be conducted m accordaiKe with PCAOB standards and to more broadly pro\‘ide 
additional sal'eguards with respect to broker-dealer custody of customer securities and funds.^^ 


Corporate Governance and Executive C ompensation 

The Dodd-Frank Act includes a number of corporate governance and executive 
compensation provisions that requite Commission rulemaking. Among others, such rulemakings 
include: 

• Savon Pay. In accordance with Section 951 ofthe Act, in Januarv’2011 the Commission 
adopted rules that require public companies subject to the federal proxy rules to provide a 
shareholder advisor*’ “say-on-pay” vote on executive compensation, a separate 
shareholder advisoiy vote on the frequency of the say-on-pay vote, and disclosure about, 
and a shareholder advisory vote to approve, compensation related to merger or similar 
transactions, known as “golden parachute” arrangements.^ Companies (other than 
smaller reporting companies) began providing these say-on-pay and “say-on-frequency” 
advisor)' votes at shareholder meetings occurring on or after Januaiy’ 21, 2011. The rules 
provided smaller reporting companies a two-)'car delayed compliance period for the say- 
on-pa) and “frequency” votes, and tltose companies began complying w ith the rules on 
Januar)' 21. 2013. The Commission also proposed rules to implement the Section 951 
requirement tliat institutional investment managers report their votes on these matters a! 
least annually.^' 

• Pay Ratio Disciosuiv. As required by Section 953(b) of the Act, in September 2013, the 
Commission proposed rules that would amend existing executive compensation rules to 
require public companies to disclose the ratio of the compensation of a company's chief 
executive officer to the median compensation of its employees.*^ The proposed rules 


** Release No. 43-0073, Broter-Dej&rReports (Aug 21.20131. hito ^^w•^vgDogov fdsv's. pkgFR-2013-08- 
:rndf 2m 3-18738 Pdf . 

^ Release No. yi-9]Tt,ShaKholderAppr(mlcfExgcutiveCompensati<mandGoUejiParachute 
Compensation (Januaiy 25, 201 1), http w’w wsec.gw rules final 201 133-91 78 pdf 

See Release No. 34-63 1 23. Repomng of l oUs on Executiw Compensation and Other Uatters (October 1 8, 

20101 htto WTivw sec gov/mle&pn»osed20^ 

** See Release No. 33-9452, Pay Ratio Dischsun (September 18, 2013), 
http WWW sec aov/niles proposed 2013 33-9452 pdf . 
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would allow companies flexibility' in developing the disclosure required by the Act by 
allowing companies to select a calculation methodology that is appropriate to the size and 
structure of their own businesses and the way they' compensate employees. The proposed 
rules also permit the use of statistical sampling. The Commission has received numerous 
comments on tlie proposal, and the staff is working to prepare recommendations for the 
Commission on a final rule. 

• Compensation Committee and Adviser Requirements. In June 2012, the Commission 
adopted rules to implement Section 952 of the .Act. which requires the Commission, by 
rule, to direct the national securities exchanges and national securities associations to 
prohibit the listing of any equity seairity of an issuer that does not comply with new 
compensation committee and compensation adviser requirements.*^ The new rules direct 
the exchanges to establish listing standards concerning compensation advisers and listing 
standards that require each member of a listed issuer's compeasation committee to be an 
“independent'’ member of the board of directors. The rules also require disclosure about 
the use of compensation consuhants and related conflicts of interest. To conform their 
rules governing independent compensation committees to the new requirements, national 
securities exchanges that have rules providing for the listing of equity securities filed 
prq>osed rule changes witli the Commission.*^ Ihe Commission issued flnal orders 
approving the proposed rule changes in January 2013.*^ 

• Incentive-Based C'ompensation .Arrangements. Section 956 of the Dodd-Frank Act 
requires the Commission, along with six other financial regulators, to jointly adopt 


® See Release No. 33-9330. Listing Sumdards forCompensatiott Cornnittees (June 20. 201 2X 
hno: WWW sec.flov'ndcsfml 201233-93301^ 

** See Release No. 34-68022 (October 9. 2012), Hin - wvrK sec gov rules sru'hats 2012..34-68022.Txif (BATS 
Exdange, Inc.y, Release No. 34-68020 (October 9. 201 2X http ww-vv sec gov rulesgo cboe'2012.'34-68020 pdf 
(Chicago Board of Options Exchange, Inc ); Release No. 34-68033 (October 10, 2012X 
http WWW sec eov'nile&srochx2012>34-^033 pdf (Chicago Stock Exchange, Inc.X Release No. 34-68013 
(October 9, 201 2), http, www sec.gcw, rules sro nasdao 201234-^8013 odf (Nasdaq Stock Market LLC); Release 
No. 34-6801 8 (October 9, 2012), htto .Vwwvy.scc eovTulessrobx201234-68018.pdf (Nasdaq OMX K(, Inc.); 
Release No. 3^8039 (October 1 1, 201 2X http: sec gov.' rules sn> nsx201 2 34-68039 pdf (Natkmai Slock 

Exdwnge. Inc-X Release No. 34-68011 (Cictobef 9. 2012X http: Viww sec gov rules sro nvse 201 2 34-6801 1 pdf 
(New York Slock Exchange LLC); Release No. 34-68006 (October 9, 201 2), 

hitp 'WWW sec.ttov rules sro'nvsearca 201234-68006 pdf (NYSEArca LLQ, Release No. 34-68007 (October 9. 
20121 http ' WWW sec gov niles.'gonvsemkt/201 234-68007.pdf (NYSE MKT LLC). 

^ See Release No. 34-68643 (January 1 1, 2013), htto www sec gov rules srobats. 201 3 34-68643 pdf (BATS 
F.xchai^e, Inc-X Release No. 34-68642 (January' 1 1 , 201 3), him \vwwsecgov nilessrocboe2nl3 34-^642.pdf 
(Chicago Board of Options Exchange, Inc.); Release No 34-68653 (January 14, 201 3X 
httpy \i-ww_sec_tt0V:niles srQ chx 2013 34-68653 odf (Chicago Stock Exch^e, Inc.X Release No. 34-68640 
(January 1 1, 2013X htlp:"wwwsec-gov'fule&'sro'nasfbq20l3r34-6864npdf (Nasdaq Stock Market LLCX Release 
No. 34-68641 (January 11. 20 1 2X htlp .'/www. sec gov /rules go bx20 1 3 34-6864 1 pdf (Nasdaq OMX BX Inc.); 
Release No. 3^68662 (January 15, 2012), http vvww sec gov rules sfo-ns.x2013 34-6^ pdf (National Stock 
Exchange, Inc.X Release No. 34-68635 (January 1 1, 2013), http 'www sec.gov rules sro nvse 2013'34-68635.pdf 
(New York Stock Exchange LL(2); Release No. 34-68638 (January 1 1, 2013), 

hnp:.Vwww sec gov rules sro''nvsearca 2013'34-68638 pdf (NYSEAroa LLQ, Release No. 34-68637 (January 11, 
2013X http ^ vvww sec gov rulesr'sram semkl'2013 '34-68637.Ddf fNYSE MKT LLC). 
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regulations or guidelines governing the incentive-based compensation arrangements of 
certain IlnaiKial institutions, including broker-dealers and investment advisers with $1 
billion or more of assets. Working with the other regulators, in March 2011. the 
Commission published for public comment a proposed rule that would address such 
arrangements.^ The Commission has received many comment letters on the proposed 
rule, and the Commission staff, together with staff from the other regulators, is carefully 
considering the issues and concerns raised in those comments before making a 
recommendation for Commission consideration. 

• Prohibition on Broker Voting of I'ninstructed Shares. Section 957 ofthe Act requires 
tlie rules of eadi national securities exchange to be amended to prohibit brokers from 
voting uninstructed shares in director elections (other than uncontested elections of 
directors of registered investment companies), executive compensation matters, or any 
other significant matter, as determined by the Commission by rule. The Commission has 
approved changes to the rules with regard to director elections and executive 
compensation matters for all of the national securities exchanges, and tliese rules are all 
now effective.^’ 

The Commission also is required by the Act to adopt several additional rules related to 
corporate governance and e.xecutive compensation, including rules mandating ne\v listing 
standards relating to specified “clawback” policies,^ and new disclosure requirements about 
executive compensation and company performance.^ and employee and director hedging. The 


^ Release No. 34^140 (March 29. 201 1 k hUo :<V vfu'w sec gov rules pfoposcd 2011 1 4() txif 

^ Set Release No. 34-62874 (September 9. 2010). htto: ‘^www sec gov 'rules‘sro m’se 'yjl(i 34-62874.pdf (New 
Ywk Stock Exchange); Release No. 34^2992 (September 24, 2010X hBo . '^'w sec-gov/rules/sranasdagCOlOi^ 
62992.pdf fNASDAO Stock Market LLQ, Release No. 34-63139 (October 20. 2010), 
httP 'VU’Mw.sec gov-fule&'sro ge^ 2010/34.63139 pdf (Irterralional Secunbes Exchange); Release No. 34-6391 7 
(February 16. 201 IV hup ' \tWTft\sec.aov/rules sro cboe 2(>l I 34-6391 lodf fChicaao Board Options Exchanged 
Release No. 34-6391 8 (February 16, ^1 IX http wwsec.gov rulcs srac2 2011 34-63918 txlf (C2 Options 
Exchai^e. Incorporated). Release No. 34-^23 (March 3, 201 IV httpi^/Www sec gov rule&gobxCOl 1 34- 
64023.pdf (NASDAQ OMX BX, lnc.>. Release No. 34-64024 (March 3. 201 IX 

http . \>w.$ec.gov’fuleSi Sro/bx 2011/34-64024 pdf (Boston Options Exchange Group, LLCX Release No. 34-64 1 2 1 
(March 24. 201 IV http ■' ffww sec eov/rules sro'ch.x/201 1 '34-64121 odf (Chicago Stock Exchai^e); Release No. 34- 
64122 (March 24, 201 IX l«p;/uwsecii»CT-rulessro'phk20 OMX PHLX LLC); 

Release No. 34-64186 (Apnl 5, 2011V hop .tt-^xr sec KW fuies/sr&edgx^^ l .'34-64186-pdf (EDGX Exchange); 
Release No. 34-64187 (Apnl 5. 201 IV hop. ^ws ec4Qvmlek-amLc dga20ir34-64187.fxlf(El^ Exchange); 
Release No. 34-65449 tS^ember 30. 201 IV httD:/ 'www sec go>-/rules. sro bats‘201 1 -34-65449 ndf fBATS 
Exchai^e. Inc-X Release No. 34-65448 (September 30, 201 IV hPp. w>t’Vi .sec.gov/mles/sro1nT0^1 1 34-65^ pdf 
(BATS Y-Exchangc, Inc.), Release No. 34-65804 (November 22, 201 IX hap. 'VuTvu\sec.gov’ 'ruk&'sro'nsx^tOl 1. 34- 
65&!M pdf (National Stock Exchange. Inc.X Release No. 34-66006 (December 20. 201 1) 
hop ww.sec gov ruic&srom’seamex^201 1 34-66006.pdf . (NYSE Amex LLQ, Release No. 34-66192 (January 
19, 2012), http ’WWW' sec gov rules stxK'nvsearca 20 12/34-66 192 odf (NYSE Area. Inc.) and Release No. 68723 
(Januao- 24, 2013) (MIAX-2013-02). 

“ § 954 of the Dodd-Frank Act 
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Staff currently is in the process of developing recommendations for the Commission concerning 
the implementation of these provisions of the Act. 


Specialized Disclosure Provisions 

Title XV of the Act contains specialized disclosure provisions related to conflict 
minerals, coal or other mine safety, and payments by resource extraction issuers to foreign or 
U.S. government entities. The Commission adopted final rules for the mine safety provision in 
December 201 1.^‘ and companies are currently complying with those rules. In addition, the 
Commission adopted fmal rules for disclosure relaluig to conflict minerals and payments by 
resource extraction issuers in .August 2012.’^ 

A lawsuit was filed challenging the resource extraction issuer rules, and in July 2013, tlie 
U.S. Disiria Court forthe District of Columbia vacated the rules. The Commission did not 
appeal the decision and is considering tlie Court's decision in determining how to proceed with 
the rulemaking to implement the staliUon' mandate. 

.A lawsuit also was filed challenging tlie conflict minerals rule, and in July 2013, the U.S. 
District Court for the District of Columbia upheld the rule.’"* This ruling, however, has been 
appealed to the U.S. Court of .Appeals for the D.C. Circuit. The Court expedited consideration of 
tlie case and the oral argument was held last month. .A stay of tlie conflict minerals rule has not 
been requested, and issuers are ex*pecled to provide their initial filings by May 31, 2014. 


Exempt Offerings 

In December 201 1, the Commission adopted rule amendments to implement Section 
413(a) of the Act, which requires the Cennmission to exclude tlie value of an indix iduai's 
primary residence when determining if that individual's net worth exceeds the $l million 
threshold required for “accredited investor'’ status.’^ Section 413(a) was efieclive on the dale of 


’’ See Release No. 33-92^6, Mine S<^ety Disciosure (December 21 . 201 1). hup '^Vrwsec govrrule& final^OI I 33- 
9286 Pdf 

See Release No. 3447716, Conflict Minerals 2Z 20121. Imp: www sec gov rules fmal 2012 ’34- 
67716 pdf and Dijcfosu/v of Payments by Resource Extraction Issuers (Ai^usl 22, 201 2X 
hCD- n-vr-w sec gpv mlcs final 2012344771 7 Pdf 

^ American Petroleum Institute, et al v. Securities and Exchange Commission and Oxjdm America Inc., No 12- 
1668 (D.aC. July 2. 2013). 

Noaonai Asxiciatton ofMauflacturers, et aL v. Securities and Exdtat^e Commission, Amteshf International 
USA. and Aimes^ International Ltd, 12-1422 (D.D.C. July 23, 2013). 

^ See Release No. 33*9287, Net ttoilh SlandardforAccre^ted Investors (December 21, 201 1) and (March23. 
2012V httP- Www.scc trov rul eSjUnal 2 Q1 1 33-9287.Ddf and hUp, wv>'w.scc.govTules’Snal'201233*9287a.Ddf 

(teclnical amendment) 
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enactment of t)ie I)odd-Frank Act and the implementing rules clarify the requirements and codify 
them in the Commission's rules. Section 413(bX2XA) of the .^ct requires the Commission to 
undertake a review of the accredited investor definition in its entirety as it relates to natural 
persons four )’ears after the enactment of the Act The staff is currently conducting this review 
and I expect that the Commission will consider whether to propose any changes to the definition 
once the review is completed. 

Section 926 of tlie Ad requires the Commission to adopt rules that disqualify' securities 
offerings involving a'llain ‘felons and otlier ‘bad actors"’ from relying on the safe harbor from 
Securities Act registration provided by Rule 506 of Regulation D. The Commission adopted 
final rules to implement this requirement on Julv 10. 2013, and the rules became effective on 
September 23, 2013.’* 


Office of Minority and M'omen Inclusion 

In July 201 1. pursuant to Section 342 of the Dodd Frank Act. the SEC formally 
established its Office of Minority and Women Inclusion (“OMWf’). OM Wl is responsible for 
matters related to diversity in management employment and business activities at the SEC. This 
includes developing standards for equal employment opportunity and diversity of the workforce 
and senior management of the SFX\ the increased participation of minority-owned and women- 
owTied businesses in the SEC's programs and contracts, and assessing the diversity policies and 
practices of entities regulated by the SEC. 

To improve div’ersity in our workforce and in our contracts. OMWI has deployed a broad 
outreach strategy where the SEC pailicipates in minority- and women-focused career fairs, 
conferences, and business matchmaking events to attract diverse suppliers and jobseekers to the 
SEC. As a result of its outreach efforts, in FY 2013, 28.4% of the total contract dollars awarded 
by the SEC were awarded to women and minority contractors, an increase of 6.5% over llie prior 
year. In FY 2013, 33®« of new hires were minorities and 40® i> were women, up from 31®'o and 
36% respectively in FY 2012. OMWi and the Commission are committed to continuing to work 
proactively to increase the participation of minority-owned and w omen-owned businesses in our 
programs and contracting opportunities and to encourage diversity and inclusion in our 
woikforce. 

.As required by Section 342 of the Dodd-Frank .Act. ONfWI also continues to make 
progress on the development of standards and policies relating to regulated entities and 
contracting. On October 23. 20 1 3. pursuant to section 342(bX2XC) of the .Act, tlie SEC, along 
with the OCC. tlie Board, the FDIC. the National Credit Union .Administration, and the 
Consumer Financial Protection Bureau, issued an interagency policy statement proposing joint 


^ See Release No. 33-9214, Oisqualijication of Felons andOther "Bad Adors” from Rule S06 Offerv^s (July 10, 
20131. http ww sec gov/mle& final 201333-9414 pdf . On the same date, the CommissiOT also adopted the fual 
rules to eliminate the prohibition ^inst general solicitation m cenain Rule 506 oiterings See Release No. 33- 
94 1 5, Eliminating the Pndribition Agamst General Solicitation and General Advertising in Rule 506 and Rule 144A 
Offerings (July 10, 2013X http ' wiyw sec.eov niles'final 2013 33-9415 pdf 
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standards for assessing the diversity policies and practices of the institutions they regulate/^ llie 
proposed standards are intended to promote transparency and awareness of diversity policies and 
practices within federally regelated financial institutions. On December 19, 2013, the agencies 
extended the public comment period from December 24, 2013 to Febniar>' 7, 2014.’* * 


Customer Data Protection 

SEC Regulations 

On April 10. 2013. to implement Section 1088 of the Dodd-Frank Act the SEC and the 
CFTC jointly adopted Regulation S-ID. which requires certain regulated financial institutions 
and creditors’^ to adopt and implement identity theH programs.*^ Regulation S-ID is effective 
today and requires covered finns to implement policies and procedures designed to; 

t identify.' releN'ant t\T>es of identity theft red flags; 

• detect the occurrence of those red flags; 

• respond appr<^riateiy to tlie detected red flags; and 

• periodically update the identity theft program. 

Regulation S-ID also requires entities to provide staff training, oversight of ser\’ice providers, 
and p^o^’ide guidelines for and examples of red flags to help Arms administer tlKir programs. 

Regulation S-ID builds upon the SEC's existing rules for protecting customer data, in 
particular Regulation S-P. Hiat regulation requires registered broker-dealers, investment 
companies, and investment ad\’isers to adopt written policies and procedures instituting 
administrative, technical, and phNsicai safeguards for the protection of customer records and 
information.*' The policies and procedures must be reasonably designed to ensure tlie security 


^ Seg Release No. 34-7073 1 , Proposed Inleragency Policy Slolment Proposing Jooit Standards for Assessing die 
Diversity Policies and Practices of the Entities Regulated by dte Agencies and Request for Comment (Ocl 23, 201 3) 
haps.. WWW sec go^' rules doLcv ’2013 34-70731 odf 

See Public Comment on the Proposed Interagency Policy Statement Eslabli^ng Joint Standards for Assessing 
the Diversity Policies of Practices of Entities Regulated by tlw Agencies, (Dec. 1 9, 201 3) 

haps: WWW scc ECT- rules Dobev 2013 commen^^ 

^ Regulation S-ID ai^Iies to SEC-regulated entities that meet the deftniticn of "financial institution" or "creditor" 
under the Fair Oedu Reporting Act 

* See Release No. 34-69359. Identity Thef Red Flags RuUs(Apri] 10, 2013). 
haps WWW s<c.gov-'rulesfinal20l3'34-69359pdf . 

* See Release 34-42974, Privacy of Consumer Financial Infonnalion (Regulation S^P) (June 22, 2000). 

hacs WWW sec.eov ‘rules’final’34-42974 fatm . In Avgust 2009, the G^nmission adc^ed a related rule prohibaing 
the use of consumer rep(^ information received from an aftiliale fer marketing purposes, unless the consumer has 
been given notice and an opportunit)' to opt oia of having the information used for this purpose See Release 34- 
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and confidentiality of customer records and infonnation, protect against any unanticipated tlireats 
or hazards to the security or integrity of customer records and information, and protect against 
unautliorized access to or use of customer records or information that could result in substantial 
harm or inconvenience to any customer. Regulation S>P also provides protections for the proper 
disposal of consumer report information and records. These regulations operate in conjunction 
with other state consumer protection laws, including tliose state laws that re^juire itolification to 
customers in the event of a data breach. 

The guidelines accompan\mg Regulation S'lD state that the policies and procedures 
should contain responses to red flags commensurate with the degree of risk posed. In 
detennining an appropriate response, entities covered by Regulation S*ID should consider 
aggravating factors that may heighten the risk of identity thefl. such as a data security incident 
tltat results in unauthorized access to account records. Appropriate responses ma>' include, 
among others: 

• Monitoring a covered account for evidence of identity thefl: 

• Contacting the customer. 

• Changing any password, security codes, or other security devices that permit access 
to a covered account; or 

• Notifying law enforcement. 

'Hie SEC's authority generally relates to securities transactions and not to retail payment 
systems, on which the authority generally resides with the banking regulators. 

SEC Examinati&i and Enforcement 

The SEC monitors and enforces compliance w ith these rules and regulations through our 
examination and enforcement programs.^^ In 2013, tlie SEC's National Exam Program 
conducted examinations of registrants relating to data protection, including compliance with 
Regulation S-P. The National Exam Program has included information security as an 
e.xamination priority in 2014.^ 


60423. Lumlatum on Affiliate Marketing (Regulahtm S^AM) (August 4, 2009), 
httPS . ww s« K)v rules fuial-t>>9 34^M 

In addition, in 201 1, the Division of Coiporation Finance published guidance that expressed its views regarding 
the disclosure obligations of registrants relating to cybersecurit)’ rides and cyber mcidenis. See Division of 
CorpOTalion Finance. CF Disclosure Guidance: Tc^cNo. 2(d«ober 13, 201 1), 
hap: .WWW sec eov divisions'corpfmguidancc.cfguidanoe-tooic2 htm . 

^ See National Examination Program, Office of Compliance Inspections and Examinations. Exammalm Priorities 
for 2014 at 2 (January 9, 2014), hap. . www scc.gov about officcsocic natnMial>e.xamuialion-program-DnonUcs» 
:014pdf . 
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In recent years, the SEC's Division of Enforcement has brou^t actions for failure to 
comply with Regulations S-P, including a registrant's failure to adopt reasonable policies and 
procedures that protect customer information from imminent threats and for failure to respond or 
follow up on security threats despite red flags. 

When the SEC is notified that customer information or records have been compromised, 
the staffs response will depend on the specific facts and circumstances surrounding the event. 
SEC staff coordinates its response and any resulting investigation as appropriate w ith other 
government agencies and law' enforcement authorities. 

Other Activities to Protect Customer Data 

The SEC participates in a number of multilateral initiatives across and between 
government agencies and die securities industry that focus on protecting customer data. For 
example: 


• In July 2013. Commission staff participated as host regulator in the Securities 
Industry and Financial Markets Association's (“SIFMA”’) Quantum Dawn 2 industry 
test, a simulation designed to test the cyber resilience and crisis management 
capabilities of the various entities tlial make up the securities industry', including the 
SR()s and broker-dealers. 11iis one-day simulation included distributed denial of 
service attacks, the insertion of cyter v imses and the use of an administrator account 
to sell off targeted stocks. While this exercise identified instances where the 
industry has made successful efforts to improve its cyter-security capabilities, the 
results of the test also demonstrated a need for better coordination of information 
across tlie industry. 

• The Commission is a member of the Financial and Banking Information 
Infrastructure Committee (“FBIIC"), chaired by the Treasury' Department and the 
Commission’s staff regularly attends FBIIC meetings to discuss the latest cyber 
threats and business continuity planning efforts within the banking and securities 
industry . The Commission staff also participates in classified and unclassified 
briefings organized by security agencies for FBIIC members and the securities 
industry (throu^ the Financial Services Sector Coordinating Council for Critical 
Infrastructure and Homeland Security and SIFM A) regarding cyber threats to the 
financial sector. In addition, the FBIIC collaborates with the FSSCC and the 
Financial Serv ices Information Sharing and /Analysis Center, to facilitate, among 
other things, the sharing of information concerning cyber threats, vulnerabilities, 
incidents, potential protective measures and practices. 


** See, i.g.Jn 0KSiolUr of Stephen Derby Giscloir. SEC Kdesse'Ho 34-70742 (October 23. 20 13X 
HBd 'H-ww sec gov lfligauon adnuft 2013 34-70742 t»df. 

In the Matter of Frederick 0. Kraus, SEC Release No. 34-64221 (April 7, 201 IX 

http, sec gov Iflt2auon'adiiiin201 1 34-64221 odf: and In the Matter of Ctmrtonvealdi Equity Services, LLP, 
SEC Release No. 34-60733 (September 29, 2009), httD..';vro’^' see gov litigauon admin 2009 34^733 pdf . 
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• The Commission is a m^nber of tlie Financial Serv ices Sector Committee of the 
Critical hifrastruclure Partnership Advisorv' Council established by the Department 
of Homeland Security to facilitate tiie coordination between federal infrastructure 
protection programs with the infrastructure activities of the private sector and of 
state, local, territorial and tribal governments. 

• The Commission is a member of the President * *s Identity Theft Task Force that w as 
established by Executive Order 13402.*^ The President's Task Force is comprised of 
representatives from 17 agencies and was created to coordinate federal agencies' 
efforts to combat identity theft. It has made several recommendations over the years 
relating to tlie prevention of identity theft, assistance to victims of identity theft, 
deterrence of identity theft, and a call for legislative action to close gaps in federal 
criminal statutes to more effectively prosecute and punish identity theft^rclated 
offenses. 

In addition to these efforts to protect individual consumers' data, in March 2013 the 
Commission proposed new rules to require certain ke>' maricet participants (e.g., registered 
national securities exchanges, certain alternative trading s>'stems, F1NR.A, and certain clearing 
agencies) to have comprehensive policies and procedures in place to better insulate market 
infrastructure technological s>'stems from vulnerabilities.^^ 


SEC Resources 

Under the Dodd-Frank AcL the SEC collects transaction fees that offset the annual 
appropriation to the SEC. .Accordingly, regardless of the amount appropriated to the SEC. our 
funding level will not take resources from other agencies, nor will it have an impact on the 
nation's budget deficit. Since FY 2012, the SEC has not received a significant increase in 
resources to pennit the agenc>' to bring on the additional staff needed to adequately cany^ out our 
mission. 

This is especially true in light of the Dodd-Frank and JOBS Acts' significant expansions 
of the SEC's jurisdiction, but would remain true had those e.xtensive additional responsibilities 
not been added. These new responsibilities cannot be handled appropriately witli the agency's 
existing resource levels w itliout undermining the agency's other core duties, particularly as we 
turn from rulewriling to implementation and enforcement of those rules. 

.Additional resources will be vital. We need additional staff experts to focus on 
enforcement, examinations, and regulatory oversight. The SEC also is aiming to continue 
investing in its technology capabilities to implement tlte law and police tlie markets. In 
particular, we hope to strengthen our ability to take in, organize, and analyze data on the new 
markets and entities under the agency's jurisdiction. .Additional funding will be essential to tliat 


Executive Order 13402. "Sircn^ning Federal Efforts To Protect A^nst Identity Theft," 71 FR 93 (May 15, 
200Q. 

* See Release No. 34-69077, Regulation ^'sterns Compliance and Integrity (Kfarch 8, 2013X 
httn u'wwsecgovTulc&iyoposed2<il.V34-69u77Ddf 
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effort. Also critical will be the SHC's continued use of the Resei^e Fund, established under the 
Dodd-Frank Act. Ihe SEC dedicated the Reserv e Fund to critical IT upgrades, ajid. if funding 
permits, plans to continue investing in areas such as data anal>'sis, EDGAR and sec.gpv 
modernization, enforcement and examinations support, and business process improvements. 

If the SEC does not receive sufficient additional resources, the agency will be unable to 
full)' build out its technology and hire the industry experts and other staff needed to oversee and 
police our areas of responsibility, especially in light of the expanding size and complexity of our 
overall regulator) space. Our nation’s markets arc the safest and most dynamic in the world, but 
without sufficient resources, it will become increasingly diHlcult for our talented professionals to 
detect, pursue, and prosecute violations of our securities law s as the size, speed, and complexit) 
of the markets grow around us. 


Conclusion 

To date, the Commission has made tremendous progress implementing the considerable 
rulemaking mandated by the Dodd-Frank Act As the Commission strives to complete the 
remaining work. I look fonvard to woiking with this Committee and otlier stakdiolders in the 
financial marketplace to adopt rules that protect investors, maintain fair, orderly and efficient 
markets, and facilitate capital formation - as well as take appropriate measures to enhance 
Hnancial stability and limit potential systemic risks. Thank you for inviting me to share our 
progress with you. I look forward to answering your questions. 
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PREPARED STATEMENT OF MARK P. WET JEN 

Acting Chairman, Commodity Futures Trading Commission 

February 6, 2014 

Good morning Chairman Johnson, Ranking Member Crapo and Members of the 
Committee. Thank you for inviting me to today’s hearing on the Dodd-Frank Wall 
Street Reform and Consumer Protection Act (“Dodd-Frank”) and customer informa- 
tion security. I am honored to testify as Acting Chairman of the Commodity Futures 
Trading Commission (“CFTC”). I also am pleased to join my fellow regulators in tes- 
tifying today. 

Now is a good time for not only this Committee, but all stakeholders in the CFTC 
to reflect on the agency’s progress in implementing financial reform and what the 
future might bring for this agency and the markets it oversees. 

Due to Dodd-Frank and the efforts of my colleagues and staff at the CFTC, today 
there is both pre-trade and post-trade transparency in the swaps market that did 
not exist before. The public now can see the price and volume of swap transactions 
in real-time, and the CFTC’s Weekly Swaps Report provides a snapshot of the 
swaps market each week. The most liquid swaps are being traded on regulated plat- 
forms and exchanges, with a panoply of protections for those depending on the mar- 
kets, and regulators themselves have a new window into the marketplace through 
swap data repositories (“SDRs”). 

Transparency, of course, is helpful only if the information provided to the public 
and regulators can be usefully employed. Therefore, the CFTC also is taking steps 
to protect the integrity of that data and ensure that it continues to be reliable and 
useful for surveillance, systemic risk monitoring, and the enforcement of important 
financial reforms. 

These transparency rules complement a number of equally important financial re- 
forms. For example, the counterparty credit risks in the swaps market have been 
reduced as a large segment of the swaps market is now being cleared — as of last 
month, about 70 percent of new, arm’s-length swaps transactions were being 
cleared. Additionally, nearly 100 swap dealers and major swap participants 
(“MSPs”) have registered with the CFTC, bringing their swaps activity and internal 
risk-management programs under the CFTC’s oversight for the first time. We also 
have strengthened a range of futures and swaps customer protections. 

As it has put these reforms in place, the CFTC has consistently worked to protect 
liquidity in the markets and ensure that end users can continue using them to 
hedge risk as Congress directed. 

The CFTC, in short, has completed most of its initial mandate under Dodd-Frank 
and has successfully ushered in improvements to the over-the-counter derivatives 
market structure for swaps, while balancing countervailing objectives. 

Volcker Rule 

In recent weeks, the Commission finalized the Volcker Rule, which was one of our 
last major rules under Dodd-Frank. The Volcker Rule was exceptional on account 
of the unprecedented coordination among the five financial regulators. 

Congress required the banking regulators to adopt a joint Volcker Rule, but it also 
provided that the market regulators — the Securities and Exchange Commission 
(“SEC”) and the CFTC — need only coordinate with the prudential banking regu- 
lators in their rulemaking efforts. One of the hallmarks of the final rule is that the 
market regulators went beyond the congressional requirement to simply coordinate. 
In fact, the CFTC’s final rule includes the same rule text as that adopted by the 
other agencies. Building a consensus among five different Government agencies was 
no easy task, and the level of coordination by the financial regulators on this com- 
plicated rulemaking was exceptional. 

This coordination was thanks in no small part to leadership at the Department 
of the Treasury. Secretary Lew, Acting Deputy Secretary Miller, and others were 
instrumental in keeping the agencies on task and seeing this rulemaking over the 
finish line. Along with the other agencies, the CFTC received more than 18,000 com- 
ments addressing numerous aspects of the proposal. CFTC staff hosted a public 
roundtable on the proposed rule and met with a number of commenters. Through 
weekly inter-agency staff meetings, along with more informal discussions, the CFTC 
staff and the other agencies carefully considered the comments in formulating the 
final rule. 

Differences with Proposal 

The agencies were responsive to the comments when appropriate, which led to 
several changes from the proposed Volcker Rule I would like to highlight. 
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The final Volcker Rule included some alterations to certain parts of the hedging — 
exemption requirements found in the proposal. For instance, the final rule requires 
banking entities to have controls in place through their compliance programs to 
demonstrate that hedges would likely be correlated with an underlying position. The 
final rule also requires ongoing recalibration of hedging positions in order for the 
entities to remain in compliance. 

Additionally, the final rule provides that hedging related to a trading desk’s mar- 
ket-making activities is part of the trading desk’s financial exposure, which can be 
managed separately from the risk-mitigating hedging exemption. 

Another modification to the proposal was to include under “covered funds” only 
those commodity pools that resemble, in terms of type of offering and investor base, 
a typical hedge fund. 

CFTC Volcker Rule Implementation and Enforcement 

The CFTC estimates that, under its Volcker regulations, it has authority over 
more than 100 registered swap dealers and futures commission merchants (“FCMs”) 
that meet the definition of “banking entity.” In addition, under Section 619, some 
of these banking entities may be subject to oversight by other regulators. For exam- 
ple, a joint FCM/broker-dealer would be subject to both CFTC and SEC jurisdiction 
and in such circumstances, the CFTC will monitor the activities of the entity di- 
rectly and also coordinate closely with the other functional regulator(s). 

In this regard, Section 619 of the Dodd-Frank Act amended the Banking Holding 
Company Act to direct the CFTC itself to write rules implementing Volcker Rule 
requirements for banking entities “for which the CFTC is the primary financial reg- 
ulatory agency” as that term was defined by Congress in Dodd-Frank. Accordingly, 
as Congress Erected, the CFTC’s final rule applies to entities that are subject to 
CFTC registration and that are banking entities, under the Volcker provisions of the 
statute. 

To ensure consistent, efficient implementation of the Volcker Rule, and to address, 
among other things, the jurisdiction issues I just mentioned, the agencies have es- 
tablished a Volcker Rule implementation task force. That task force also will be the 
proper vehicle to examine the means for coordinated enforcement of the rule. Al- 
though compliance requirements under the Volcker Rule do not take effect until 
July 2015, the CFTC is exploring now whether to take additional steps, including 
whether to adopt formal procedures for enforcement of the rule. As part of this proc- 
ess, I have directed CFTC staff to consider whether the agency should adopt such 
procedures and to make recommendations in the near future. 

Volcker Rule: Lowering Risk in Banking Entities 

The final Volcker Rule closely follows the mandates of Section 619 and strikes an 
appropriate balance in prohibiting banking entities from engaging in the types of 
proprietary trading activities that Congress contemplated when considering Section 
619 and in protecting liquidity and risk management through legitimate market 
making and hedging activities. In adopting the final rule, the CFTC and other regu- 
lators were mindful that exceptions to the prohibitions or restrictions in the statute, 
if not carefully defined, could conceivably swallow the rule. 

Banking entities are permitted to continue market making — an important activity 
for providing liquidity to financial markets — but the agencies reasonably confined 
the meaning of the term “market making” to the extent necessary to maintain a 
market-making inventory to meet near-term client, customer or counterparty de- 
mands. 

Likewise, the final rule permits hedging that reduces specific risks from indi- 
vidual or aggregated positions of the banking entity. 

The final Volcker Rule also prohibits banking entities from engaging in activities 
that result in conflicts of interest with clients, customers or counterparties, or that 
pose threats to the safety and soundness of these entities, and potentially therefore 
to the U.S. financial system. 

The final Volcker rule also limits banking entities from sponsoring or owning “cov- 
ered funds,” which include hedge funds, private equity funds or certain types of 
commodity pools, other than under certain limited circumstances. The final rule fo- 
cuses the prohibition on certain types of pooled investment vehicles that trade or 
invest in securities or derivatives. 

Finally, and importantly, the final Volcker Rule requires banking entities to put 
in place a compliance program, with special attention to the firm’s compliance with 
the rule’s restrictions on market making, underwriting and hedging. It also requires 
the larger banking entities to report key metrics to regulators each month. This new 
transparency, once phased-in, will buttress the CFTC’s oversight of swap dealers 
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and FCMs by providing it additional information regarding the risk levels at these 
registrants. 

TruPS Interim Final Rule 

Even with resource constraints, the CFTC has been responsive to public input and 
willing to explore course corrections, when appropriate. With respect to the Volcker 
Rule, the CFTC, along with the other agencies, last month unanimously finalized 
an interim final rule to allow banks to retain collateralized debt obligations backed 
primarily by trust-preferred securities (TruPS) issued by community banks. The 
agencies acted quickly to address concerns about restrictions in the final rule, dem- 
onstrating again the commitment of the agencies at this table to ongoing coordina- 
tion. In doing so, the CFTC and the other agencies protected important markets for 
community banks, as Congress directed. 

Implementation Stage of Dodd-Frank 

Looking ahead through the lens of what already has heen done, it is clear that 
the Commission and all stakeholders will need to closely monitor and, if appro- 
priate, address the inevitable challenges that will come with implementing the new 
regulatory framework under Dodd-Frank. 

For the CFTC, only a few rulemakings remain to be re-proposed or finalized in 
order to complete the implementation of Dodd-Frank. Indeed, in just a matter of 
days, the compliance date for perhaps the last remaining, major hallmark of the re- 
form effort will arrive: the effective date of the swap-trading mandate. 

Rules the Commission is working to address in the coming months include capital 
and margin requirements for uncleared swaps, rulemakings intended to harmonize 
global regulations for clearinghouses and trading venues, and finalizing position 
limits. 

There are other important matters in the months ahead as well. 

Allow me to mention some of these matters before the Commission as we move 
forward with Dodd-Frank implementation. 

Made Available to Trade Determinations 

As a result of the trade execution mandate, many swaps will, for the first time, 
trade on regulated platforms and benefit from market-wide, pre-trade transparency. 
These platforms are designed to improve pricing for the buy-side, commercial end 
users, and other participants that use these markets to manage risk. Additionally, 
SEFs, as registered entities, are required to establish and enforce comprehensive 
compliance and surveillance programs. 

The Commission’s trade execution rules complement our other efforts to stream- 
line participation in the markets by doing away with the need to negotiate bilateral 
credit arrangements and removing impediments to accessing liquidity. This not only 
benefits the end users that the markets are intended to serve, but also new entrants 
seeking to compete for liquidity who now are able to access the markets on impar- 
tial terms. In essence, the Commission’s implementation of the trade execution man- 
date supports a transparent, risk-reducing swap-market structure under CFTC 
oversight. 

In recent weeks, the “Made Available to Trade Determinations” filed by four swap 
execution facilities (“SEFs”) have been deemed certified, making mandatory the 
trading of a number of interest rate and credit default swaps on regulated plat- 
forms. 

There have been some questions in this context about the trading of so-called 
“package transactions,” which often include a combination of financial instruments 
and at least one swap that is subject to the trade execution requirement. I have di- 
rected Division of Market Oversight (“DM0”) staff to hold an open-to-the-public 
roundtable, which will take place February 12, and to further examine these issues 
so that the CFTC can further consider the appropriate regulatory treatment of basis 
trades falling within the meaning of a “package transaction.” 

Data 

In order for the Commission to enforce the significant Dodd-Frank reforms, the 
agency must have accurate data and a clear picture of activity in the marketplace. 

Last month, with the support of my fellow commissioners, I directed an interdivi- 
sional staff working group to review certain swap transaction data, recordkeeping 
and reporting provisions under Dodd-Frank. The working group, led by the director 
of DM0, will formulate and recommend questions for public comment regarding 
compliance with Part 45 reporting rules and related provisions, as well as consist- 
ency in regulatory reporting among market participants. 

We have seen an incredible shift to a transparent, regulated swaps marketplace, 
and this is an appropriate review to ensure the data we are receiving is of the best 
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possible quality so the Commission can effectively oversee the marketplace. I have 
asked the working group to review the incoming public comments and make rec- 
ommendations to the Commission in June. 

Concept Release on Risk Controls and System Safeguards for Automated Trading 
Environments 

The CFTC’s Concept Release on Risk Controls and System Safeguards for Auto- 
mated Trading Environments provides an overview of the automated trading envi- 
ronment, including its principal actors, potential risks, and responsive measures 
taken to date by the Commission or industry participants. It also discusses pre- 
trade risk controls; post-trade reports; system safeguards related to the design, test- 
ing and supervision of automated trading systems; and additional protections de- 
signed to promote safe and orderly markets. Within the release, the Commission 
asks 124 questions and is seeking extensive public input. 

To give the public more time to provide comments, the CFTC extended the com- 
ment period, which continues through February 14. 

Position Limits 

The futures markets have a long history of embracing speculative position limits 
as a tool to reduce unwarranted price fluctuations and minimize the risk of manipu- 
lation, particularly in the spot month, such as corners and squeezes. Our proposed 
position limits rule builds on that history, increases transparency, and lessens the 
likelihood that a trader will accumulate excessively large speculative positions. 

The Commission’s proposed rule respects congressional intent and addresses a 
district court decision related to the Commission’s new position — limits authority 
under Dodd-Frank. 

The comment period on the re-proposed rule closes February 10, and I look for- 
ward to reviewing the public input. 

International Coordination 

Given that the U.S. has nearly delivered on its G20 commitments to derivatives 
reform, and the European Union is close behind, financial regulators recently have 
focused more time on the developing global market structure for swaps. 

The G20 commitments were a reaction to a global financial crisis. Although the 
causes of that crisis are not as clear as some suggest, few would disagree that li- 
quidity constraints at certain firms were at least exacerbated by exposures to de- 
rivatives. 

The plain truth is that risk associated with derivatives is mobile and can migrate 
rapidly across borders in modern financial markets. An equally plain truth is that 
any efforts to monitor and manage global systemic risk therefore must be global in 
nature. 

Risk mobility means that regulators in the United States and abroad do not have 
the luxury of limiting their oversight to financial activities occurring solely within 
their borders. Financial activities abroad may be confined to local markets in some 
cases, but the financial crisis, and more recent events, make clear that the rights 
and responsibilities that flow from these activities often are not. 

Perhaps as important. Congress reacted to the financial crisis by authorizing the 
CFTC to oversee activities conducted beyond its borders in appropriate cases. It 
could have limited the CFTC’s oversight to only those entities and activities located 
or occurring within our shores, but it did not. In fact. Congress recognized in Dodd- 
Frank that even when activities do not obviously implicate U.S. interests, they can 
still create less obvious but legally binding obligations that are significant and di- 
rectly relevant to the health of a U.S. firm; and which in the aggregate could have 
a material impact on the U.S. financial system as a whole. 

So it is clear to me that the CFTC took the correct approach in adopting cross- 
border policies that account for the varied ways that risk can be imported into the 
U.S. At the same time, the CFTC’s policies tried to respect the limits of U.S. law 
and the resource constraints of U.S. and global regulators. That is in part why, last 
December, the CFTC approved a series of determinations allowing non-U.S. swap 
dealers and MSPs to comply with Dodd-Frank by relying on comparable and com- 
prehensive home country regulations, otherwise known as “substituted compliance.” 

Those approvals by the CFTC reflect a collaborative effort with authorities and 
market participants from each of the six jurisdictions with registered swap dealers. 
Working closely with authorities in Australia, Canada, the EU, Hong Kong, Japan, 
and Switzerland, the CFTC issued comparability determinations for a broad range 
of entity-level requirements. And in two jurisdictions, the EU and Japan, the CFTC 
also issued comparability determinations for a number of key transaction-level re- 
quirements. 
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It appears at this time that the substituted compliance approach has been suc- 
cessful in supporting financial reform efforts around the globe and a race-to-the-top 
in global derivatives regulation. Last month, for example, the European Union 
(“EU”) agreed on updated rules for markets in financial derivatives, or the Markets 
in Financial Instruments Directive II (“MiFiD 11”), reflecting great progress on de- 
rivatives reform in the EU. Other jurisdictions that host a substantial market for 
swap activity are still working on their reforms, and certainly will be informed by 
the EU’s work and the CFTC’s ongoing coordination with foreign regulators. 

As jurisdictions outside the U.S. continue to strengthen their regulatory regimes 
and meet their G20 commitments, the CFTC may determine that additional foreign 
regulatory requirements are comparable to and as comprehensive as certain require- 
ments under Dodd-Frank. 

The CFTC also has made great progress with the European Commission since 
both regulators issued the Path Forward statement last summer, and we are ac- 
tively working with the Europeans to ensure that harmonized regulations on the 
two continents promote liquidity formation and sound risk management. Frag- 
mented liquidity, and the regulatory and financial arbitrage that both drives and 
follows it, can lead to increased operational costs and risks as entities structure 
around the rules in primary swap markets. 

Harmonizing regulations governing clearinghouses and trading venues, in par- 
ticular, is critical to sound and efficient market structure. Even if firms are able to 
navigate the conflicts and complexities of differing regulatory regimes, regulators 
here and abroad must do what they can to avoid incentivizing corporate structures 
and inter-affiliate relationships that will only make global financial firms more dif- 
ficult to understand, manage, and unwind during a period of market distress. 

Conversely, this translates to open, competitive derivatives markets. It means effi- 
cient and liquid markets. A global regime is the best means to avoid balkanization 
of risk and risk management that may expose the U.S. financial system over time 
to risks that are unnecessary, needlessly complex, and difficult to predict and con- 
tain. 

In light of the CFTC’s swaps authority, and the complexities of implementing a 
global regulatory regime, the Commission is working with numerous foreign au- 
thorities to negotiate and sign supervisory arrangements that address regulator-to- 
regulator cooperation and information sharing in a supervisory context. We cur- 
rently are negotiating such arrangements with respect to swap dealers and MSPs, 
SDRs, SEFs, and derivatives clearing organizations. 

As a final note on cross-border issues, on February 12 the Global Markets Advi- 
sory Committee (“GMAC”), which I sponsor, will meet to discuss the November 14, 
2013, CFTC staff advisory on applicability of transaction-level requirements in cer- 
tain cross-border situations. 

The CFTC and Customer Information Security 

The CFTC takes our responsibility to protect against the loss or theft of customer 
information seriously. However, the CFTC’s funding challenges, and thus our lim- 
ited examinations staff, have an impact on the agency’s ability to examine and en- 
force critical rules that protect customer privacy and ensure firms have robust infor- 
mation security and other risk management policies in place. 

The Gramm-Leach-Bliley Act was enacted in 1999 to ensure that financial institu- 
tions respect the privacy of their customers. Part 160 of the CFTC’s regulations was 
adopted pursuant to the Gramm-Leach-Bliley Act and addresses privacy and secu- 
rity safeguards for customer information. Under the law, swap dealers, FCMs and 
other CFTC registrants must have “policies and procedures that address adminis- 
trative, technical and physical safeguards for the protection of customer records and 
information.” These policies and procedures are designed to protect against unau- 
thorized access to customer records or information. 

The CFTC is working to strengthen our registrants’ compliance with the law. The 
agency is poised to release a staff advisory to market participants outlining best 
practices for compliance. The advisory recommends, among other best practices, that 
registrants should assess existing privacy and security risks; design and implement 
a system of procedures and controls to minimize such risks; regularly test privacy 
and security controls, including periodic testing by an independent party; annually 
report to the board on these issues; and implement an incident response program 
that includes notifying the Commission and individuals whose information was or 
may be misused. In addition, the CFTC has recently issued new customer protection 
regulations that include, among other regulations, new requirements for risk man- 
agement by firms. Security safeguards are an element of risk management that 
needs to be addressed by this new regulation. 
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Last year, the CFTC also issued interpretive guidance, mirroring that of other fi- 
nancial agencies, clarifying that reporting of suspected financial abuse of older 
Americans to appropriate law enforcement agencies does not violate the privacy pro- 
visions within Part 160 of the Commission’s rules. 

Though enforcement of CFTC Part 160 rules is a challenge given our limited re- 
sources, we have enforced them in the past. In one instance, the CFTC settled a 
case with an FCM when an employee of that FCM placed files containing sensitive 
personally identifiable information on a public Web site, and the FCM did not have 
effective procedures in place to safeguard customer information. 

In addition to Part 160, the CFTC’s Dodd-Frank rules for DCMs, SEFs and SDRs 
require these entities to notify the CFTC of all cybersecurity incidents that could 
potentially or actually jeopardize the security of information. 

Last spring, the CFTC and SEC adopted final “red flags” rules under the Dodd- 
Erank Act requiring CFTC and SEC registrants to adopt programs to identify and 
address the risk of identity theft. As the law required, our rules establish special 
requirements for credit and debit card issuers to assess the validity of change of ad- 
dress, but currently, the CFTC entities that must follow these identity theft rules 
do not issue credit or debit cards. A number of firms, however, do accept credit and 
debit cards for payment, which presents a different type of risk. 

The CFTC also has adopted a rule regarding the proper disposal of consumer in- 
formation requiring reasonable measures, such as shredding, to protect against un- 
authorized access. 

Retail Payment Systems 

The Commission’s new customer protection rules on risk management require 
FCMs to develop risk management policies that address risks related to retail pay- 
ment systems, such as anti-money laundering, identity theft, unauthorized access, 
and cybersecurity. 

The CFTC currently does not have the resources to conduct any direct examina- 
tions of retail payment systems. The CFTC does indirectly look at the risks of retail 
payment systems through designated self-regulatory organizations (DSRO). The 
DSRO covers the operational aspects of the money movement through their risk- 
based programs. Additionally, DSROs perform a review of anti-money laundering at 
FCMs looking at a number of aspects of a retail payment system — source of funds, 
cash transactions, customer identity, money laundering and staff training. 

For the vast majority of our registrants, the retail payment system is through nor- 
mal banking channels, such as wire transfers. Only a few of our registrants accept 
credit or debit cards, and none currently accept virtual currency payment systems. 
Virtual currency, however, does present new risk, as a firm would be interacting 
outside of bank payment channels, increasing the risk of hacking or fraud, among 
other cybersecurity issues. The CFTC is working with registrants that are seeking 
to accept virtual currencies to educate them about best practices. 

Data Breach Response 

The CFTC’s response to a data breach incident would include immediately assess- 
ing the situation with the registrant to understand the magnitude of the breach and 
its implications on customers and the marketplace. We would coordinate with other 
regulators and law enforcement and together determine the appropriate course of 
action. Our response would include an analysis of the data compromised, immediate 
notification to affected customers (unless law enforcement prohibits that notifica- 
tion), supporting customers by having the firm provide free credit monitoring serv- 
ices, ensuring customers know how to change user IDs and passwords, and having 
the firm closely monitor customer activity to look for signs of identity theft. 

Looking ahead, the Commission is considering implementing rules under Gramm- 
Leach-Bliley to expand upon our current customer protection regulations with more 
specificity regarding the security of customer information. 

Resources 

To be effective, the CFTC’s oversight of these registrants requires technological 
tools and staff with expertise to analyze complex financial information. On that 
note, I am pleased that the House and Senate have agreed to an appropriations bill 
that includes a modest budgetary increase to $215 million for the CFTC, lifting the 
agency’s appropriations above the sequestration level that has been challenging for 
planning and orderly operation of the agency. The new funding level is a step in 
the right direction. We will continue working with Congress to secure resources that 
match the agency’s critical responsibilities in protecting the safety and integrity of 
the financial markets under its jurisdiction. We need additional staff for surveil- 
lance, examinations, and enforcement, as well as investments in technology, to give 
the public confidence in our ability to oversee the vast derivatives markets. 
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Conclusion 

For the CFTC, the Volcker Rule was one of the last remaining rulemakings re- 
quired by Dodd-Frank. Only a few rulemakings remain to be re-proposed or final- 
ized in order to complete the implementation of the legislation. Indeed, in just a 
matter of days, the compliance date for perhaps the last remaining major hallmark 
of the reform effort will arrive: the effective date of the swap-trading mandate. 
Looking forward, the agency will continue working to ensure an orderly transition 
to, and adoption of, the new market structure for swaps, and adjusting as necessary. 

Thank you again for inviting me today. I would be happy to answer any questions 
from the Committee. 




RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM MARY J. MILLER 

Q.l. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to investigate 
and tafe action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.I. Attacks on retail payment systems have gained heightened at- 
tention over the past months, following the widely reported data 
breach of the Target Corporation. Cyber criminals have taken ad- 
vantage of cybersecurity vulnerabilities within the networks of re- 
tail merchants and financial services firms to unlawfully obtain 
credit card information and other payment card data from Point- 
of-Sale terminals. While the theft of credit card information has re- 
sulted in fraud against financial institutions, much of the liability 
for these losses will be borne by the retailers where the original 
breach took place. This is a result of the structure of contracts be- 
tween banks and merchants, which rely upon industry imposed 
standards. 

Because technology continues to evolve and malicious actors 
adapt their techniques, no one security solution is likely to resolve 
the cybersecurity challenges banks face. As the sector specific agen- 
cy for financial services. Treasury strongly supports the financial 
sector’s efforts to take a comprehensive approach to cybersecurity, 
including by using the National Institute of Standards and Tech- 
nology’s Framework for Improving Critical Infrastructure 
Cybersecurity. This Framework provides firms with a methodology 
that can be used to review their own risk management activities 
and could be useful in managing their supply chain vendors. For 
this reason, we have been working closely with the financial serv- 
ices sector to promote use of the Framework. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. Though Treasury does not have regulatory authority in this 
area, we closely monitor developments in payments technology. 
Treasury has observed that many banks have already begun to 
issue chip cards to better secure payments. In addition, many re- 
dos) 
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tailers have purchased terminals that are Europay, MasterCard 
and Visa (EMV) compliant. Industry participants have expressed 
that the primary barrier to adoption of these new standards is the 
cost of conversion. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIFIs. Would you all be willing to sup- 
port more reliance on measurable metrics in FSOC’s designation 
process? 

A.3. Under Section 113 of the Dodd-Frank Act, the Financial Sta- 
bility Oversight Council (Council) may determine that a nonbank 
financial company shall be subject to Federal Reserve supervision 
and enhanced prudential standards if the company’s material fi- 
nancial distress, or the nature, scope, size, scale, concentration, 
interconnectedness, or mix of activities of the company, could pose 
a threat to U.S. financial stability. 

The Council provided considerable public transparency into its 
process for considering nonbank financial companies for designa- 
tion by voluntarily publishing a rule and guidance outlining how it 
would apply the statutory criteria and review firms for potential 
designation. The Council’s rule and guidance on nonbank designa- 
tions benefited from multiple rounds of public comment, even 
though the Council was not required to conduct a rulemaking proc- 
ess. The Council’s public guidance established clear, quantitative 
metrics that the Council uses to identify firms for evaluation and 
extensively described the firm-specific analysis that the Council 
conducts. 

The Council’s guidance also includes sample metrics the Council 
may consider in its in-depth analysis of companies for potential 
designation. However, the guidance notes that a designation deci- 
sion cannot be reduced to a formula. Due to the diverse types of 
nonbank financial companies and the unique threats that these 
nonbank financial companies may pose to U.S. financial stability, 
the Council’s analysis will depend on the particular circumstances 
of each nonbank financial company under consideration and the 
unique nature of the threat it may pose to U.S. financial stability. 

The Council appreciates the important oversight role of the GAO. 
We are confident that our process has been consistent with the 
Council’s statutory duties and that the Council has provided the 
public and affected companies with extensive opportunities for 
input. 

RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM 

MARY J. MILLER 

Q.l. FSOC has been in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
teria followed, as well as the implications and process to be fol- 
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lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.l. The Council has provided tremendous public transparency into 
its process for considering nonbank financial companies for des- 
ignation by voluntarily publishing a rule and guidance outlining 
how it would apply the statutory criteria and review firms for po- 
tential designation. In addition, the Council has reported to Con- 
gress and released to the public explanations of the basis for each 
of the three nonbank designations that it has completed. 

The Council’s rule and guidance on nonbank designations bene- 
fited from multiple rounds of public comment, even though the 
Council was not required to conduct a rulemaking process. The 
Council’s public guidance established clear, quantitative metrics 
that the Council uses to identify firms for evaluation and exten- 
sively described the firm-specific analysis that the Council con- 
ducts. 

Firms under review for potential designation have numerous and 
extensive opportunities to engage directly with the Council before 
any designation. First, the Council provides the company with a 
notice that it is under consideration and an opportunity to submit 
materials to contest the Council’s consideration. This goes beyond 
what is required by the statute. Second, before any proposed des- 
ignation, there is extensive interaction between Council staff and 
the company, including a number of meetings and information re- 
quests. After the Council makes a proposed designation, the Coun- 
cil sends the company a written explanation, and the company is 
entitled to a hearing to contest the proposed designation. To date, 
there has been only one company that has requested an oral hear- 
ing; the Council granted it, and the Council members themselves 
presided over the hearing and heard directly from the company’s 
representatives. 

In addition, any designated company has a right to seek judicial 
review of the designation. The Council also reviews all nonbank 
designations annually, based on a process set forth in the Council’s 
rule that allows any designated company to participate in the proc- 
ess. 

Due to the preliminary nature of the Council’s evaluation of any 
nonbank financial company prior to a final designation and the po- 
tential for market participants to misinterpret such an announce- 
ment, the Council does not publicly announce the name of any com- 
pany that is under review prior to a final designation of the com- 
pany. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
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CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. The Federal Reserve Board recently announced that it intends 
to exercise its authority to give banking entities two additional 1- 
year extensions to conform their ownership interests in, and spon- 
sorship of CLOs covered by, the Volcker Rule. The Federal Reserve 
Board also noted that the four other agencies charged with enforc- 
ing the requirements of the Volcker Rule plan to administer their 
oversight of banking entities in accordance with the Federal Re- 
serve Board’s extension of the conformance period applicable to 
CLOs. In April 2014, the Federal Reserve Board, in consultation 
with the other rule-writing agencies, announced that it intends to 
exercise its authority to give blanking entities two additional 1-year 
extensions to bring into conformance with the Volcker Rule their 
ownership interests in and sponsorship of CLOs. This relief should 
reduce pressure on banking entities to sell CLOs before the dead- 
line for conformance. 

Q.3. Can you speak to other reports/studies that the OFR may do 
and if there will be some kind of open/regular process that will be 
followed for the public to review and comment? In terms of the 
OFR’s Study on Asset Management and Financial Stability, do you 
know how many comments were received and the general nature/ 
issues raised in these comments? 

A.3. There are no pending requests from the Council to the OFR 
for reports at this time. However, the OFR Director sets the agen- 
da of the OFR and has the discretion to explore matters that might 
have an impact on the financial stability of the United States. After 
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the OFR delivered the report to the Council and posted it on the 
OFR Web site, the Securities and Exchange Commission solicited 
public comment on the OFR report and posted the comment letters 
on its Web site. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM DANIEL K. TARULLO 

Q.l. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to investigate 
and tafe action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.l. The presence of numerous and varied participants in payment 
processing, such as banks, merchants, and service providers, in- 
creases the complexity of securing financial and customer informa- 
tion throughout the payment process. The Federal Reserve guid- 
ance sets expectations for financial institutions to tailor and imple- 
ment risk assessment and mitigation plans for material business 
lines that include processes ranging from layered security architec- 
tures to heightened monitoring of customer account activity. Finan- 
cial institutions are expected to maintain robust and flexible inci- 
dent response and management programs, with the goal of mini- 
mizing the effects, both financial and reputational, of merchant 
data breaches. When a breach does occur, financial institutions are 
expected to assess the risks to the institution and its customers 
and to implement plans to mitigate those risks. Risk mitigation 
plans typically include enhanced account and systems monitoring 
and reporting to detect unusual activity and to obtain information 
to mitigate the effects of the security incident. Depending on the 
details of a specific incident, additional actions may include cus- 
tomer notification and card reissuance. 

When responding to a third-party data breach, participants in 
the payment system face the challenge of devising an appropriate 
response with incomplete information about the extent and origin 
of the particular compromise. For example, information regarding 
the scope of merchant data breaches, including the extent and type 
of compromised data, is generally limited initially, requiring deci- 
sions regarding the monitoring of customer accounts, notification of 
customers, and the reissuance of cards based upon minimal and 
evolving information. Depending upon the characteristics of the 
specific breach, additional challenges may result from the use of ex- 
ternal providers of technology and other services to support pay- 
ment processing functions. 

The Federal Reserve guidance on information security and pay- 
ment systems outlines expectations for financial institutions re- 
garding information security programs and controls, including on- 
going assessments of application and business line needs as busi- 
ness activities evolve and the use of metrics to assess the effective- 
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ness of controls. Financial institutions should address the chal- 
lenges of merchant data breaches by continuously advancing their 
risk management capabilities to minimize the risk of breaches oc- 
curring and to mitigate the impact of breaches when they do occur. 
Financial institutions should maintain effective information secu- 
rity programs, including controls, systems, and resources to detect 
customer data breaches and to mitigate any resulting financial and 
reputational losses. The Federal Reserve’s 2013 Guidance on Man- 
aging Outsourcing Risk, SR 13-19/CR 13-21, directs financial insti- 
tutions to appropriately manage risk associated with vendors and 
subcontractors. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. Regulated entities are moving forward with Europay, 
MasterCard and Visa (EMV) for payment cards according to their 
own business needs and strategic plans. EMV cards contain embed- 
ded microprocessors that provide transaction security features and 
other capabilities which cannot be provided with magnetic stripe 
cards. A card issuer’s decision to implement EMV is influenced by 
the timing of merchant’s plans to upgrade their point-of-sale (PCS) 
terminals and systems to read the EMV chip, and, similarly, mer- 
chant’s decisions to upgrade their systems are influenced by the 
timing of the issuance of EMV-enabled cards. 

One of the largest obstacles to EMV adoption is the cost that 
card system participants must incur to implement the new stand- 
ard: merchants must consider the cost of chip-enabled POS termi- 
nals and related systems; processors must coordinate with mer- 
chants to manage the new transaction format and data stream 
from EMV terminals; and banks must issue new chip-based credit 
and debit cards to their customers. 

The recent high-profile breaches have generated renewed interest 
in EMV adoption. Although breaches remind payment system par- 
ticipants that magnetic stripe cards are vulnerable to fraud, there 
is a low likelihood that more fraud will significantly accelerate 
EMV migration because of the time and cost required to build out 
the necessary infrastructure. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIEIs. Would you all be willing to sup- 
port more reliance on measurable metrics in ESOC’s designation 
process? 

A.3. I agree that objective, numerical criteria should be a central 
part of the systematically important financial institutions (SIEI) 
designation process. Reliance on such criteria increases the trans- 
parency of the process and reduces market participants’ uncer- 
tainty regarding the potential for a firm’s designation as a nonbank 
SIEI. Such increased certainty improves the efficient functioning of 
U.S. financial markets and contributes to financial stability. 
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The SIFI designation process assesses the potential harm to U.S. 
financial stability from the material financial distress of a firm and 
whether the nature, scope, size, scale, concentration, interconnect- 
edness, or activity mix of a firm could pose a threat to U.S. finan- 
cial stability. Many important factors in these assessments, such as 
a firm’s size and leverage, can clearly be measured using objective, 
numerical calculations that can be replicated by firms and market 
participants using publicly available data. 

However, while some factors may be summarized with measur- 
able metrics, computing these metrics may rely on nonpublic infor- 
mation, such as detailed data on assets, liabilities and counterparty 
relationships. Further, other factors, such as the potential harm 
from forced asset sales, may best be summarized using a range of 
metrics, some of which may rely on somewhat complex, albeit 
standard, models such as value-at-risk measures. Finally, certain 
factors, such as the relationship of a firm with other significant 
intermediaries, may require a measure of judgment that cannot yet 
be fully captured by any agreed-upon statistic or model. 

Q.4. Please explain how and why the agencies failed to foresee the 
accounting issue with the treatment of the Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs) in the final Volcker 
Rule. Did the proposed rule include requisite language seeking 
public comment on TruPS CDOs, as finalized? If so, please provide 
that language from the proposed rule. If not, please explain why 
the proposal did not seek that specific information and whether the 
agencies believe they satisfied the notice-and-comment require- 
ments under the Administrative Procedure Act. 

A.4. In November 2011, the Federal Reserve, the Office of the 
Comptroller of the Currency (OCC), the Federal Deposit Insurance 
Corporation (FDIC), the Security Exchange Commission (SEC), and 
the U.S. Commodity Futures Trading Commission (CFTC) (collec- 
tively, the Agencies) issued a proposed rule that asked a number 
of questions seeking public comment regarding the treatment of 
securitizations. See, e.g., Fed. Reg. 68,846 at 68,898-90, 68,912, 
68,914-15. Among other issues, these questions specifically sought 
comment on the impact of section 13 of the Bank Holding (Company 
Act (BHCA) and the proposal, on securitization vehicles, which in- 
cludes collateralized debt obligations (CDOs) and Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs). The proposal also 
included questions seeking comment about including 
securitizations within the definition of covered fund, as well as re- 
garding the legal, accounting and tax treatment of interests in 
securitizations and how debt interests should be treated. In total, 
the proposal asked approximately 15 questions specifically about 
these issues related to securitizations. Notwithstanding these ques- 
tions, no comments were received on securitizations backed by 
trust preferred securities under the proposed rule. 

To address the costs associated with the requirement in the stat- 
ute and rule requiring divestiture of nonconforming investments in 
covered funds, the Federal Reserve gave an extended conformance 
period until July 21, 2015. The accounting rules, which are outside 
of the purview of the Agencies, brought forward accounting losses 
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for certain investments notwithstanding the Federal Reserve’s ex- 
tension of time to conform the investment. 

After approval of the final rule implementing section 13 on De- 
cember 10, 2013, a number of community banking organizations 
and trade groups expressed concern that the final rule conflicts 
with section 171 of the Dodd-Frank Wall Street Reform and Con- 
sumer Protection Act (the Collins Amendment). Section 171 
(b)(4)(C) specifically permits any community banking organization 
to continue to rely for regulatory capital purposes on any debt or 
equity instruments issued before May 19, 2010. This exemption in- 
cludes trust preferred securities, which are assets held by a num- 
ber of issuers of CDOs. To address these concerns, on January 14, 
2014, the Agencies approved an interim final rule to permit bank- 
ing entities to retain interests in certain collateralized debt obliga- 
tions backed primarily by trust preferred securities and other in- 
struments identified in section 171(b)(4)(C). Although the Agencies 
believe the interim final rule addresses the concerns expressed re- 
lated to TruPS CDOs, the interim final rule invited comment for 
a period of 30 days after its publication in the Federal Register. 
The Agencies will carefully consider all comments that relate to the 
interim final rule. 

Q.5. What specific efforts are the regulators considering to address 
the issue with the Collateralized Loan Obligations (CLOs) in the 
final Volcker rule? In Governor Tarullo’s testimony before the 
House Financial Services Committee, he stated that the CLO issue 
is “already at the top of the list” for regulators to consider and fix. 
How many financial institutions are impacted by the final rule’s 
treatment of CLOs? 

A.5. In keeping with the statute, the final rule excludes from the 
definition of covered fund all securitizations backed entirely by 
loans, including CLOs backed entirely by loans. Data reported by 
insured depository institutions, bank holding companies and cer- 
tain savings and loan holding companies in the Call Report and 
Y9-C forms indicate that only about 50 domestic banking organiza- 
tions held CLOs, including both conforming and nonconforming, as 
of December 31, 2013. The data also indicate that aggregate CLO 
holdings of these banking entities reflect an overall unrealized net 
gain, and unrealized losses reported by individual banking entities 
are not significant relative to their tier 1 capital or income. Addi- 
tionally, new issuances of CLOs in late 2013 and early 2014 appear 
to be conforming to the final rule, and some CLOS issued before 
December 31, 2013, are conforming their investments to the provi- 
sions of section 13. Based on discussions with industry representa- 
tives and a review of data provided by market participants, it ap- 
pears that the current volume of new CLO issuances is higher as 
compared to CLOs issued prior to the adoption of the final rule, 
with U.S. CLO issuances during the 3-month stretch from March 
through May 2014 increasing to an all-time high of approximately 
$35.3 billion. 

On April 7, 2014, the Federal Reserve issued a statement that 
it intends to grant two additional 1-year extensions of the conform- 
ance period under section 13 of the BHC Act that would allow 
banking entities additional time to conform to the statute owner- 
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ship interests in and sponsorship of CLOs in place as of December 
31, 2013, that do not qualify for the exclusion in the final rule for 
loan securitizations.! This would permit banking entities to retain 
until July 21, 2017 ownership interests in and sponsorship of CLOs 
that are not backed entirely by loans that were held as of Decem- 
ber 31, 2013. All of the agencies charged with implementing section 
13 of the BHC Act support the Federal Reserve’s statement.^ 

Q.6. Since the final Volcker rule was issued in December, the af- 
fected entities have recognized two issues with the final rule 
(TruPS CDOs and CLOs). What other issues with the final Volcker 
rule are your agencies aware of that may be raised by affected enti- 
ties? How do you intend to coordinate efforts on clarifying such 
issues in the future? 

A.6. It is not unexpected that rules implementing a complex stat- 
ute that require changes in existing activities would raise questions 
during the implementation process. In part to facilitate resolution 
of these types of issues, the Federal Reserve exercised authority 
provided under section 13 to extend until July 21, 2015, the period 
for banking entities to conform their activities and investments to 
the statute and implementing rules. The Federal Reserve will work 
with the other implementing agencies to address questions regard- 
ing implementation as they arise. 

Q.7. How do you plan to coordinate with other agencies regarding 
enforcement matters and the final Volcker rule, given that your 
agencies have varied jurisdictions? 

A.7. Authority for issuing regulations and implementing the 
Volcker rule is by statute allocated between five Federal regulators. 
As a general matter, the OCC is charged with supervising and en- 
forcing the final rule for national banks and Federal branches of 
foreign banks, the FDIC for State nonmember banks, the SEC for 
U.S. broker-dealers and securities-based swap dealers, and the 
CFTC for futures commission merchants and swaps dealers. The 
Federal Reserve’s primary responsibilities are for depository insti- 
tution holding companies. State member banks, certain unregu- 
lated and foreign subsidiaries of depositor institution holding com- 
panies, and State-chartered branches of foreign banks. 

Staff of the Federal Reserve will continue to engage with staff of 
the other Agencies, and the Agencies will work together, to the ex- 
tent appropriate and practicable, to help ensure consistency in ap- 
plication of the final rule to banking entities covered by the rule. 
In pursuit of our goals for a consistent application of the rule 
across Agencies and across banking entities, staffs of the imple- 
menting Agencies meet regularly to address implementation issues 
as they arise. 

Q.8. Governor Tarullo, you head the Committee on Supervisory 
and Regulatory Cooperation at the Financial Stability Board (FSB). 
There is concern that the FSB will implement bank-centric capital 
standards on insurance companies that are inconsistent with U.S. 
risk-based capital standards. What are you doing to ensure that 


^See Board Statement Regarding the Treatment of Collateralized Loan Obligations Under 
Section 13 of the Bank Holding Company Act (Apr. 7, 2014). 

2 Sec Letter to Chairman Hensarling re: CLOs (Apr. 7, 2014). 
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bank-centric standards are not set for insurance companies, and for 
other nonbank noninsurance financial institutions more generally? 
A.8. One of the lessons learned from the recent financial crisis was 
the need for appropriate consolidated supervision of systemically 
important financial firms to ensure that the risks of the overall 
firms, including those present in both regulated and unregulated fi- 
nancial entities, are appropriately capitalized, measured, and su- 
pervised. The primary focus of the FSB is financial stability. It 
works with international sectoral standard setting bodies such as 
the Basel Committee on Banking Supervision (BCBS) and the 
International Association of Insurance Supervisors (lAIS) to help 
ensure that regulators are identifying and addressing risks within 
those sectors with potential financial stability impact. The decision- 
making and responsibility for the development of appropriate su- 
pervisory and regulatory measures rests with the BCBS and the 
IMS. 

The International Association of Insurance Supervisors (lAIS), 
an organization comprised of over 130 authorities with responsibil- 
ities for insurance supervision from around the world, including the 
National Association of Insurance Commissioners (NAIC), State in- 
surance regulators. Federal Reserve Board, and Federal Insurance 
Office, is in the process of developing international capital stand- 
ards for global systemically important insurers and internationally 
active insurance groups. The lAIS periodically provides updates on 
the lAIS capital projects to the FSB. 

The capital standards being developed by the lAIS would be de- 
signed to measure capital adequacy for relevant firms’ financial ac- 
tivities, including their insurance business, as well as other regu- 
lated and unregulated financial operations. This lAIS project, 
staffed by international supervisors with insurance expertise, has, 
as a goal, the establishment of overall international capital stand- 
ards that would be appropriate for the risks facing financial compa- 
nies with substantial insurance underwriting activities. Once the 
standards are adopted by the lAIS, U.S. regulators, including the 
Federal Reserve and State insurance regulators, would consider if 
and how to implement in the United States the standards for the 
companies that they regulate, consistent with applicable law. Any 
standards the Federal Reserve would seek to implement would be 
proposed to the public with opportunity for public comment. 

Separately, the Board is considering the appropriate capital 
framework for savings and loan holding companies (SLHCs) and 
FSOC designated nonbank financial companies supervised by the 
Board that are substantially engaged in insurance underwriting ac- 
tivities, consistent with section 171 of the Dodd-Frank Act. Insur- 
ance companies that are SLHCs or that are FSOC designated 
nonbank financial companies have different business models and 
risks than bank holding companies that are not substantially en- 
gaged in insurance activities. However, section 171 of the Dodd- 
Frank Act requires that the Board establish minimum risk-based 
and leverage capital requirements on a consolidated basis for bank 
holding companies and savings and loan holding companies, and 
for nonbank financial companies that it supervises. Section 171 
specifically provides that these minimum requirements be not less 
than the “generally applicable” minimum risk-based and leverage 
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capital requirements that apply to insured depository institutions 
(regardless of their asset size or foreign exposure). In addition, 
these minimum requirements cannot be quantitatively lower than 
the “generally applicable” minimum risk-based and leverage capital 
requirements that applied to insured depository institutions when 
the Dodd-Frank Act was adopted in 2010. Section 171 therefore 
limits the scope of the Board’s discretion in establishing minimum 
capital requirements for these companies. 

Under State law, capital requirements for insurance companies 
apply on a legal entity basis, and there are no State-based, consoli- 
dated capital requirements that cover subsidiaries and noninsur- 
ance affiliates of insurance companies. In addition, even among 
regulated insurance companies (primary insurers, captive insurers, 
etc.) there is a degree in variation of the applicable capital and su- 
pervisory standards. 

The final rule regarding enhanced prudential standards that the 
Board adopted on February 18, 2014, does not include require- 
ments for nonbank financial companies, including insurance com- 
panies, designated by the Financial Stability Oversight Council for 
Board supervision. Instead, the Board will apply enhanced pruden- 
tial standards to designated nonbank financial companies through 
a subsequently issued order or rule following an evaluation of the 
business model, capital structure, and risk profile of each des- 
ignated nonbank financial company, consistent with the require- 
ments of section 171 of the Dodd-Frank Act, as discussed above. 
The Board plans to implement requirements for designated 
nonbank financial companies through a transparent process with 
an opportunity for notice and comment. 

The Board continues to carefully consider how to design capital 
rules for Board-regulated companies that are insurance companies, 
that have subsidiaries engaged in insurance underwriting, or that 
are substantially engaged in commercial activities, consistent with 
section 171 of the Dodd-Frank Act. 

Q.9. On January 10, 2014, the Federal Reserve and the FDIC made 
available the public portions of resolution plans for 116 institutions 
that submitted plans for the first time in December 2013, the latest 
group to file resolution plans with the agencies. These living wills 
are based on a premise that when a financial firm is near the 
brink, there will be a marketplace where buyers for assets and op- 
erations are available, but that may not be the case as was evident 
with Lehman’s 2008 collapse when no one wanted to touch what 
was perceived as Lehman’s “toxic assets.” What specifically gives 
you confidence that these living wills will work in the first place 
and that there will be willing buyers for the troubled firm’s assets? 
A.9. The resolution plan regulation jointly issued by the Federal 
Reserve and the FDIC provides that in preparing its initial resolu- 
tion plan, a company may assume that its material financial dis- 
tress or failure occurs under the baseline economic scenario out- 
lined in the Federal Reserve’s stress testing rule, 12 CFR Part 
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252.3 The baseline economic scenario describes a functioning mar- 
ket where there would likely be available buyers for assets and op- 
erations. However, the joint regulation also provides that the next 
iteration of these plans will also have to take into account that the 
material financial distress or failure of the company may occur 
under the adverse and severely adverse economic scenarios out- 
lined in the Federal Reserve’s stress testing rule."^ In preparing fu- 
ture iterations of their plans, currently due in December 2014, the 
institutions that filed their initial plans in December 2013, will 
therefore have to take into account that their material financial 
distress or failure may occur under the adverse and severely ad- 
verse economic scenarios, which reflect conditions where buyers for 
the companies’ assets and operations are less likely to be available. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ 
FROM DANIEL K. TARULLO 

Q.l. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security standards? 
Currently, most standards are set by contract — with the card com- 
panies playing a significant role — and an industry body known as 
PCI determines most of the details and certifies compliance exam- 
iners. Should Federal regulators be playing a greater role? 

A.l. The Payment Card Industry (PCI) Security Standards Council 
released version 3 of the Data Security Standard in November 
2013. PCI’s philosophy has been to drive new compliance require- 
ments as the risk landscape changes. Version 3 includes two new 
key requirements related to data flows and device inventory, which 
incrementally enhance the control environment and protect con- 
sumers from fraud. The industry relies on the PCI Security Stand- 
ards Council to balance cost and effectiveness, which it does by as- 
sessing threats and identifying controls that most effectively ad- 
dress evolving payment card risks. The Federal Reserve and other 
financial regulators have relied on the expertise of the PCI Security 
Standards Council in setting technical data security standards. The 
regulators approach has been to identify broad, outcome-based se- 
curity objectives that supervised entities are expected to meet 
through a mix of technical and nontechnical approaches. 

Regarding the role of Federal regulators, the complexity of the 
regulatory environment mirrors the complexity of the payment 
processing landscape, with regulators focused within their statu- 
tory domains. However, we are aware of the considerable need for, 
and benefits of, coordination and collaboration across domains in 
order to effectively mitigate both firm and systemic risks. The Fed- 
eral Reserve continues to monitor payment system risk and collabo- 
rate with the private sector and public-private partnerships such as 
the Financial and Banking Information Infrastructure Committee 
(FBIIC), Financial Services Sector Coordinating Council (FSSCC), 
and Financial Services Information Sharing and Analysis Center 
(FS-ISAC). 


^ 12 CFR parts 243.4(a)(4) and 381.4(a)(4). The stress scenarios applicable to the December 
2013 resolution plan submissions of the 116 institutions were issued on November 15, 2012. 
http:! / www.federalreserve.gov / newsevents I press / bcreglhcreg2012111Sal.pdf. 

4 Id. 
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Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial institutions 
still very clearly feel the effects. Credit and debit card issuers, for 
example, must notify affected customers and issue new cards, and 
will likely end up bearing some portion of the financial losses that 
occur from fraudulent transactions using stolen card information. 
In the chain of a retail payment transaction, security is only as 
strong as its weakest link. 

In addition to the examinations the Fed conducts regarding regu- 
lated institutions’ own data security, can you describe the Fed’s 
oversight with respect to the security of consumer data across the 
entire chain of consumer payment transactions? 

A.2.a. Federal Reserve oversight of consumer payment transactions 
is limited to our role as a supervisor of financial institutions. Fed- 
eral Reserve staff examine the data security programs of super- 
vised banks for compliance with the information security standards 
required by section 501(b) of the Gramm-Leach-Bliley Act (15 
U.S.C. 6801(b)) and the identity theft red flags rule required by 
section 615(e) of the Fair Credit Reporting Act (15 U.S.C. 
1681m(e)), as well as with Federal Reserve information security 
and payment systems guidance. The Federal Reserve’s supervisory 
process includes an assessment of the adequacy of financial institu- 
tion data security programs in supporting the security and reli- 
ability of customer data. Financial institutions are required to ad- 
dress deficiencies in a timely manner to mitigate risks to both the 
institution and its customers. 

Q.2.b. Should Federal regulators be taking a greater interest in the 
data security standards applicable to other entities that possess 
consumer financial data, beyond just regulated financial institu- 
tions? Are legislative changes necessary or are there legislative 
changes that would help? 

A.2.b. Protecting the safe and sound operation of the Nation’s fi- 
nancial systems is a key priority for the Federal Reserve. To ac- 
complish this, the Federal Reserve works with other regulators to 
promote the implementation of effective information security pro- 
grams and protocols by supervised institutions. However, sensitive 
consumer data are frequently collected and stored by nonregulated 
firms, and these firms may not be held to the same level of infor- 
mation security expectations as financial institutions. As cyber 
threats become increasingly sophisticated, effective security and 
fraud-mitigation measures must evolve to include all players in the 
payment system, including financial institutions, nonfinancial 
firms, and consumers. The security of the payment system is only 
as strong as its weakest link and it is the weakest link that crimi- 
nals will exploit. Given the broad reach of these threats, the Con- 
gress would appear to be the appropriate body to address these 
matters holistically. For example, a national standard that sets 
forth requirements for protecting sensitive consumer data and 
tracking and reporting incidents may help to protect consumers 
and financial systems more broadly. Payment system participants 
should be encouraged to cooperate with each other in preventing, 
detecting, and mitigating cyber-attacks. In addition, the Congress 
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may consider investigating ways to leverage the technical capabili- 
ties of law enforcement and national security agencies with respect 
to cyber threats and attacks, and to encourage continued coordina- 
tion across Government agencies to ensure the safety and security 
of the financial system. Federal Reserve staff would be available to 
participate in discussions regarding these matters. 

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without con- 
sumers’ knowledge or consent. The financial industry is no excep- 
tion. We have heard reports of lenders, for example, mining online 
data sources to help inform underwriting decisions on consumer 
loans. As companies aggregate more data, however, the con- 
sequences of a breach or improper use become greater. 

The Target breach illustrates the risks consumers face — not just 
of fraud, but also identity theft and other hardships. Compromised 
information included both payment card data and personal infor- 
mation such as names, email addresses, and phone numbers. But 
what if the next breach also involves account payment histories or 
Social Security numbers? 

As the ways companies use consumer information changes, and 
the amount of consumer data they hold grows, how is the Fed’s ap- 
proach evolving? Are there steps regulators are taking — or that 
Congress should take — to require stronger protections against 
breaches and improper use, and to mitigate harm to consumers? 
A.3. On an ongoing basis, the Federal Reserve evaluates the need 
for additional guidance to financial institutions, jointly with other 
banking regulators, to promote effective information security pro- 
grams and practices in an environment characterized by rapid 
technological change. The Federal Reserve participates in the Fed- 
eral Financial Institutions Examination Councils (FFIEC) efforts to 
develop and update guidance on a range of information technology 
topics, including information technology management, security, and 
payments. In December 2013, the Federal Reserve issued Guidance 
on Managing Outsourcing Risk, SR 13-19/CA 13-21, to address 
risks related to banks increasing reliance on third-party service 
providers. In this guidance, the Federal Reserve acknowledges that 
third-party outsourcing represents a heightened level of risk and 
complexity and banks must protect against loss of customer data 
and exploits of networks that may expose financial institutions to 
data breaches. The. Federal Reserve is monitoring financial institu- 
tion performance relative to the expectations in the newly released 
outsourcing risk guidance to ensure that third-party contract over- 
sight includes: 1) an appropriate level of due diligence based on 
complexity and criticality; 2) business resumption and contingency 
plans; 3) an assessment of the third-party information security pro- 
grams; and, 4) incident reporting, management, and response pro- 
grams. 

Given the increasingly broad threats to consumer information, 
privacy, and security, the Congress may be the appropriate body to 
address this matter. Potential actions that Congress could consider 
are discussed above in our response to question 2b. 

Q.4.a. A lot of the discussion in the aftermath of the recent data 
breaches has focused on credit and debit card “smart” chip tech- 
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nology, since the U.S. seems to have fallen behind other parts of 
the world such as Western Europe in adopting it. But while card 
chips help to reduce fraud for transactions where a card is phys- 
ically present, and make it harder for thieves to print fake cards 
using stolen information, they do little to reduce fraud for online, 
“card-not-present” transactions. 

Are you comfortable with the steps industry is taking to improve 
security and reduce fraud for “card-not-present” transactions? 

A.4.a. The complex and evolving nature of technology and business 
processes ensures that threat and fraud environments are dynamic 
and that payment system participants must continue to evolve and 
enhance security processes over time. Tools, technologies, and pro- 
cedures employed in the industry to reduce card-not-present (CNP) 
fraud at this point in time include: 

• Address verification requires the customer to provide the card- 
holder’s address on record with the card issuer. 

• Card security verification requires the customer to provide a 3- 
or 4-digit CW2 code printed on the card. Requiring this num- 
ber at checkout helps to ensure that the customer is in posses- 
sion of the physical card since the number is generally not en- 
coded on a magnetic stripe or chip. 

• Geolocation services provide information about a device’s loca- 
tion during transaction processing based on an IP address (on 
a computer) or GPS signal (on a mobile device). The device’s 
location can be compared to the customer’s billing or shipping 
address. 

• Neural network technologies use customer and past transaction 
data to assess the likelihood that a given transaction is fraudu- 
lent. 

• PCI standards places controls on the storage and handling of 
cardholder information. In addition to the measures listed 
above, the industry is developing several promising tech- 
nologies to address new threats. For example, tokenization so- 
lutions could replace a card’s primary account number with a 
proxy number that is valid for a single transaction. End-to-end 
encryption technologies that transmit encoded card data across 
the payment chain are also under development. The use of 
tokenization and end-to-end encryption are potential tools to 
combat threats, such as data breaches. 

The payment card industry is a complex market, and imple- 
menting a new security technology may require investments and 
process changes by merchants, financial institutions, card net- 
works, payment processors, as well as behavioral changes by con- 
sumers. These stakeholders often face different incentives when de- 
ciding to implement a new technology. Given the constantly chang- 
ing threat environment, the complexity of the market, and the 
varying incentives among stakeholders, the Federal Reserve sup- 
ports a layered, technology-neutral, guidance-based approach to 
CNP security. Stakeholders should implement several layers of 
technologies and procedures to mitigate threats. And, as the fraud 
environment changes, stakeholders should revise their approaches 
to CNP fraud and implement updated, cost-effective measures to 
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address the latest threats. The Federal Reserve will continue to 
work with the institutions under its supervision, as well as with 
other regulators, to encourage payment system participants to im- 
prove measures to detect and prevent fraud. 

Q.4.b. Banks and other industry participants need to he proactive 
here, rather than waiting for a major breach to happen before mak- 
ing protective investments. Do you feel that regulated institutions 
are paying sufficient attention to all areas of data security risk, 
and are making the necessary investments to protect consumers 
rather than treating fraud as simply a cost of doing business? 

A.4.b. An effective payment system involves many participants, not 
just depository institutions, and all industry participants should 
take proactive measures to protect consumer data. The increasing 
sophistication of cyber threats makes it difficult to ensure that cur- 
rent investments provide adequate protection against new threats. 
Payment system participants need to employ multiple layers of se- 
curity as well as nontechnology-based policies and procedures (such 
as notifying customers of potentially fraudulent transactions) that 
complement technology-based solutions. Participants need to assess 
the robustness of their information security infrastructures, poli- 
cies, and practices on an ongoing basis in light of the evolving 
threat environment and to make enhancements as appropriate. 

The Federal Reserve expects supervised institutions to contin- 
ually monitor their security systems in the face of evolving threats 
and to upgrade those systems when necessary. To this end, the 
Federal Reserve and other bank regulatory agencies have issued 
several interagency guidance documents that pertain to data 
breach prevention and incident response. The Interagency Guide- 
lines Establishing Information Security Standards (12 CFR part 
208, App. D-2 (2013)) summarizes the standards that financial in- 
stitutions are expected to use in establishing a comprehensive, 
risk-based program to protect customer information. The Inter- 
agency Supplement to Authentication in an Internet Banking Envi- 
ronment (June 28, 2011; SR 11-09) sets out expectations about 
minimum security controls required to prevent loss of customer in- 
formation by data breach, reflecting banks’ increased reliance on 
internet-based technology and the simultaneous increase in 
attacker sophistication. The Interagency Guidance on Response Pro- 
grams for Unauthorized Access to Customer Information and Cus- 
tomer Notice (12 CFR part 208, App. D-2 (2013)) describes the inci- 
dent response program that a financial institution should establish 
to address unauthorized access to or misuse of customer informa- 
tion. Supervised institutions are expected to review and assess 
their procedures and technologies on an ongoing basis and to make 
appropriate changes and investments to ensure an adequate and 
effective level of data protection. 

Based on the results of Federal Reserve examination activities, 
in general, regulated financial institutions have placed a high pri- 
ority on securing information, including corporate, customer, and 
counterparty data. Investments necessary to maintain technology, 
systems, and staff resources to support effective information secu- 
rity programs are being made. However, where necessary, the Fed- 
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eral Reserve leverages its supervisory processes to promote the cor- 
rection of deficiencies identified at specific institutions. 


RESPONSE TO WRITTEN QUESTION OF SENATOR KIRK FROM 
DANIEL K. TARULLO 

Q.l. FSOC has heen in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
teria followed, as well as the implications and process to be fol- 
lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.l. The Financial Stability Oversight Committee (FSOC) — chaired 
by the Secretary of the Treasury and composed of 10 voting mem- 
bers — is charged by Congress with designating systemically impor- 
tant financial institutions. The FSOC has established a robust 
process, after seeking public notice and comment on an initial and 
revised proposal, for exercising its designation authority. The proc- 
ess contains three stages during which the FSOC screens compa- 
nies for review and conducts an in-depth analysis of companies 
that pass the screen. 

In developing this process, the FSOC sought to maximize trans- 
parency with respect to the Determination Process by providing a 
detailed description of (i) the profile of those nonbank financial 
companies likely to be evaluated by the FSOC for a potential deter- 
mination, and (ii) the metrics that the FSOC intends to use when 
analyzing companies at various stages of the Determination Proc- 
ess. There are numerous opportunities during this process for a 
nonbank financial company to communicate with the FSOC and its 
staff and submit information regarding the company’s activities 
and its potential to pose a threat to U.S. financial stability. 

The FSOC applies quantitative metrics to a broad group of 
nonbank financial companies in determining whether a firm should 
be considered for designation. A nonbank financial company will be 
evaluated in Stage 2 if it meets both a size threshold ($50 billion 
in total consolidated assets) and any one of five thresholds that 
measure a company’s interconnectedness, leverage, and liquidity 
risk and maturity mismatch. During Stage 2, a nonbank financial 
company is analyzed based on a wide range of quantitative and 
qualitative information available to the FSOC primarily through 
public and regulatory sources. 

A nonbank financial company that is advanced to Stage 3 re- 
ceives a notice that the company is under consideration for a Pro- 
posed Determination, which also may include a request that the 
nonbank financial company provide information relevant to the 
FSOC’s evaluation. In addition, the nonbank financial company is 
provided an opportunity to submit written materials to the FSOC. 
Following a Proposed Determination, a nonbank financial company 
is provided a written notice of the Proposed Determination, which 
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includes an explanation of the basis of the Proposed Determination. 
A nonbank financial company that is subject to a Proposed Deter- 
mination may request a written or oral hearing to contest the Pro- 
posed Determination. If the FSOC determines to subject a company 
to supervision by the Board of Governors and prudential standards, 
the FSOC will provide the nonbank financial company with written 
notice of the FSOC’s final determination, including an explanation 
of the basis for the FSOC’s decision. 

In 2013, the FSOC determined that material financial distress at 
each of three nonbank financial companies — American Inter- 
national Group, Inc., General Electric Capital Corporation, and 
Prudential Financial, Inc. — could pose a threat to U.S. financial 
stability and that those companies should be subject to Federal Re- 
serve Board supervision and enhanced prudential standards. The 
FSOC released the bases of its determinations on its Web site. The 
FSOC evaluated these firms using the three-stage process. 

The Federal Reserve Board recognizes the critical importance of 
transparency and will continue to pursue ways to promote further 
transparency that are consistent with the FSOC’s central mission 
to monitor emerging threats to the financial system. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
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has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. In keeping with the statute, the final rule excludes from the 
definition of covered fund all securitizations backed entirely by 
loans, including CLOs backed entirely by loans. 

Data reported by insured depository institutions, bank holding 
companies and certain savings and loan holding companies in the 
Call Report and Y9-C forms indicate that only about 50 banking 
organizations owned an interest in a CLO that was backed by as- 
sets that include assets that are not loans, and thus are covered 
by the statute and implementing rules. The data also indicate that, 
as of December 31, 2013, aggregate CLO holdings of these banking 
entities reflect an overall unrealized net gain, and unrealized losses 
reported by individual banking entities are not significant relative 
to their tier 1 capital or income. Based on discussions with industry 
representatives and a review of data provided by market partici- 
pants, it appears that new issuances of CLOs in late 2013 and 
early 2014 are conforming to the final rule. Moreover, the current 
volume of new CLO issuances is higher as compared to CLOs 
issued prior to the adoption of the implementing rules, with month- 
ly U.S. CLO activity increasing to a post-crisis high of $13.3 billion 
in April 2014, the third highest monthly total on record. 

On April 7, 2014, the Federal Reserve issued a statement that 
it intends to grant two additional 1-year extensions of the conform- 
ance period under section 13 of the Bank Holding Company Act 
that would allow banking entities additional time to conform to the 
statute ownership interests in and sponsorship of CLOs in place as 
of December 31, 2013, that do not qualify for the exclusion in the 
final rule for loan securitizations. This would permit banking enti- 
ties to retain ownership interests in and sponsorship of CLOs held 
as of that date until July 21, 2017. All of the agencies charged with 
implementing section 13 support the Federal Reserve’s statement. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM MARTIN J. GRUENBERG 

Q.l. When a data breach happens at a merchant level. Federal 
banking regulators generally do not have jurisdiction to investigate 
and tafe action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.l. Responsibility for security of financial institutions’ customer 
information held at third parties is addressed through contractual 
terms between the two parties. The Federal banking agencies de- 
veloped the Interagency Guidelines Establishing Information Secu- 
rity Standards (12 C.F.R. 364, Appendix B et al.) in response to the 
Gramm-Leach-Bliley Act, Section 501(B). These standards direct all 



124 


insured financial institutions to require service providers, by con- 
tract, to implement appropriate measures to protect against unau- 
thorized access to or use of customer information that could result 
in substantial harm or inconvenience to any customer. 

Each financial institution is expected to manage financial and 
reputational risk related to the products they offer and ensure that 
adequate controls are in place to mitigate that risk. Risk manage- 
ment responsibilities related to potential payment card data 
breaches are addressed through contractual terms and policies 
among the issuing banks, acquiring banks (banks that sponsor 
merchants’ access to the payment card networks), and card net- 
works (Visa and MasterCard). The contractual terms and policies 
describe the responsibility of the parties to implement controls, loss 
liability of the parties, and loss recovery processes. Issuing banks 
and acquiring banks receive fees for their participation in this part- 
nership, in part, to offset risks. The extent to which fees and loss 
recovery models adequately cover card re-issuing costs or costs for 
protecting data at the merchant also is a contractual arrangement. 

The card networks have established notification processes to 
alert the issuing banks of suspected compromised accounts. Issuing 
banks are responsible for limiting the potential for fraud on any ac- 
counts suspected of being compromised once the issuing bank is no- 
tified. 

Conversely, the acquiring banks’ merchants may be fined by the 
card network due to misconduct (such as poor security) to support 
recovery of fraud losses, in addition to direct responsibility for 
fraud due to card-not-present (online) transactions, or card-present 
transactions that are not authorized by the issuer. The acquiring 
bank remains at risk for the merchant’s fines and losses to the ex- 
tent the merchant is unable to meet its responsibilities. The FDIC’s 
role is to ensure the safety and soundness of the issuing banks and 
acquiring banks, including the ensuring of adequate reserves 
against losses, appropriate security controls, and protection of cus- 
tomer accounts against unauthorized charges or withdrawals. 

A significant challenge that financial institutions face as a result 
of data breaches is notification to potentially affected customers 
and the potential for customers to become desensitized by the no- 
tices. Given the frequency that data breaches occur and the goal to 
notify potentially affected customers as soon as possible, customers 
may discard the notices and fail to follow the instructions provided 
to protect their credit rating. Financial institutions can address 
this challenge by providing notices that are written in plain lan- 
guage with clear and direct instructions. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. The FDIC does not mandate specific technologies for data se- 
curity as technology and threats evolve very rapidly. However, the 
FDIC expects financial institutions to establish an information se- 
curity program that will adjust to any relevant changes in tech- 
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nology, the sensitivity of its customer information, and internal or 
external threats to information. The FDIC welcomes the industry 
initiative to strengthen card security technology through the imple- 
mentation of the Europay, MasterCard, and Visa (EMV) global 
standard for card authentication. However, while the new EMV 
standard improves the card-present aspect of fraud prevention, it 
does not make it more difficult to steal the card data from mer- 
chant databases, nor does it address online fraud or fraud at mer- 
chants still accepting credit cards with customer data stored in the 
magnetic stripes (commonly referred to as “mag-stripe”) for pur- 
chases. 

As part of the examination process, the FDIC does not identify 
which financial institutions will offer the new EMV enhanced 
cards. However, to encourage EMV chip card issuance and accept- 
ance, the card brands/networks (Visa, MasterCard, Discover, and 
AMEX) have announced that beginning in October 2015, entities, 
including financial institutions and merchants, that do not use the 
new EMV standard will face increased liability for fraud. We agree 
with their assumption that the potential for increased fraud liabil- 
ity will encourage adoption of the technology. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIFIs. Would you all be willing to sup- 
port more reliance on measurable metrics in FSOC’s designation 
process? 

A.3. The current FSOC framework for the designation of nonbank 
SIFIs addresses the specific statutory considerations set forth in 
Section 113 of the Dodd-Frank Act Wall Street Reform and Con- 
sumer Protection Act (Dodd-Frank Act). It combines measurable, 
quantitative thresholds and metrics with qualitative analysis to ad- 
dress the nature of the unique threats that FSOC seeks to miti- 
gate. Nonbank financial companies engage in a wide variety of 
complex activities and possess material differences in operating 
and financial characteristics. For example, these firms may be 
holding companies or operating companies, and they may have dif- 
fering business models, risk profiles, funding sources, capital struc- 
tures, and interconnections that may make evaluating the systemic 
risk they pose to the U.S. financial system more difficult using 
solely quantitative metrics. 

In April 2012, after notice and public comment, the FSOC issued 
interpretative guidance setting forth both quantitative thresholds 
and qualitative information that the FSOC had determined to be 
relevant in the designation process in order to provide trans- 
parency and clarity to companies, market participants, and the 
public. The FSOC’s interpretative guidance addresses, among other 
things, the uniform quantitative thresholds that the FSOC uses to 
identify nonbank financial companies for further evaluation and 
the six-category framework used to consider whether a nonbank fi- 
nancial company meets either of the statutory standards for a de- 
termination, including examples of quantitative metrics for assess- 
ing each category. In addition, the interpretative guidance includes 
a three-stage process for the review of a nonbank financial com- 



126 


pany, which incorporates quantitative thresholds in the first stage 
and more qualitative company-specific analyses in the second and 
third stages. 

Generally, as reporting requirements evolve and new information 
about certain industries and nonbank financial companies become 
available, the FSOC will be better able to consider whether to es- 
tablish additional metrics and thresholds. 

Q.4. Please explain how and why the agencies failed to foresee the 
accounting issue with the treatment of the Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs) in the final Volcker 
Rule. Did the proposed rule include requisite language seeking 
public comment on TruPS CDOs, as finalized? If so, please provide 
that language from the proposed rule. If not, please explain why 
the proposal did not seek that specific information and whether the 
agencies believe they satisfied the notice-and-comment require- 
ments under the Administrative Procedure Act. 

A.4. It is fair to say that everyone missed the immediacy of the ac- 
counting issues associated with CDOs backed by bank-issued trust 
preferred securities. As part of developing the final rule, the agen- 
cies clearly missed the immediacy; however, the industry and other 
commenters missed the immediacy of this issue as well. For exam- 
ple, throughout the rather extended notice and comment period, 
none of the over 18,000 comment letters raised this issue. 

An important take-away from this episode is how the agencies 
responded when the issue was identified. The agencies worked 
closely together and, with input from the industry, developed an ef- 
fective and timely response to the majority of the bankers’ con- 
cerns. Importantly, the agencies were able to do so in a manner 
that reconciled the broader policy objectives of the Dodd-Frank Act 
without jeopardizing the robustness of the implementation of the 
Volcker Rule. 

As part of the notice-and-comment process, the agencies sought 
robust public comment on the proposed Volcker Rule. Included in 
the notice of proposed rulemaking were several questions seeking 
comments on any concerns or challenges to issuers of asset-backed 
securities and/or securitization vehicles. For example. Question 227 
asked whether certain asset classes, including collateralized debt 
obligations, are more likely to be impacted by the proposed defini- 
tion of “covered fund.” Question 229 asked if there are entities that 
issue asset-backed securities that should be exempted from the re- 
quirements of the proposed rule. Question 231 stated that many 
issuers of asset-backed securities have features and structures that 
resemble some of the features of hedge funds and private equity 
funds, including CDOs, and asked if the proposed definition of “cov- 
ered fund” were to exempt any entity issuing asset-backed securi- 
ties, would this allow for interests in hedge funds or private equity 
funds to be structured as asset-backed securities and circumvent 
the proposed rule. Commenters did not raise concerns about TruPS 
CDOs in their responses to the proposed rule. 

Q.5. What specific efforts are the regulators considering to address 
the issue with the Collateralized Loan Obligations (CLOs) in the 
final Volcker rule? In Governor Tarullo’s testimony before the 
House Financial Services Committee, he stated that the CLO issue 
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is “already at the top of the list” for regulators to consider and fix. 
How many financial institutions are impacted by the final rule’s 
treatment of CLOs? 

A.5. The agencies are carefully considering all requests that have 
been received related to CLOs. These requests have ranged from 
the very narrow — requesting a grandfathering of a well-defined, 
limited number of CLOs issued before publication of the Volcker 
Rule — to the very broad — requesting a change to the definition of 
ownership interest that would potentially allow banks to expand 
their holdings of other types of securitization positions, such as 
synthetic CDOs and structured investment vehicles (SIVs), which 
caused significant financial losses during the crisis. 

The agencies’ staffs jointly have met with representatives of the 
Loan Syndication Trade Association, the American Bankers Asso- 
ciation, the Structured Finance Industry Group, the Financial 
Services Roundtable, and the Securities Industry and Financial 
Markets Association. Based on these discussions with the industry 
representatives, a review of data provided by market participants, 
and discussions among the staffs of the agencies, the agencies 
found: 

• Banking entities that hold legacy CLOs are undertaking a re- 
view of their particular holdings to evaluate where they fit 
within the treatment of covered funds under the agencies’ im- 
plementing regulations. Industry representatives have advised 
the staffs of the agencies that there is a great amount of vari- 
ation from deal to deal in the restrictions applicable to invest- 
ments permitted for CLOs and the rights granted to CLO in- 
vestors. In addition, staffs of the agencies understand from the 
industry that many legacy CLOs may not satisfy the exclusion 
from the definition of covered fund for loan securitizations be- 
cause they may hold a certain amount of nonconforming assets 
(such as bonds or other securities). 

• New CLO issuances have been comparable in volume to the 
CLOs issued prior to the adoption of the implementing rules 
and sponsors have revised their new CLO deals to conform to 
the Volcker Rule’s exception for loan securitizations. In par- 
ticular, market participants have represented that new 
issuances of CLOs in late 2013 and early 2014 after issuance 
of the final rule are conforming to the final rule.^ 

• Data contained in the Call Report and Y9-C forms for asset- 
backed securities or structured financial products secured by 
corporate and similar loans indicate that U.S. banking entities 
hold between approximately $84 billion and $105 billion in 
CLO investments. 2 Of this amount, between approximately 94 
and 96 percent are held by banking entities with total assets 
of $50 billion or more. Holdings of CLOs by domestic banking 
entities represent between approximately 28 to 35 percent of 


^According to S&P, the majority of CLOs issued since the final rule have been structured as 
loan-only securitizations. Year to date, CLO issuance stands at approximately $21 billion, ac- 
cording to Thomson Reuters PLC. 

^This information is based on data compiled as of December 31, 2013, by the Federal banking 
agencies, which undertook a review and analysis of CLO holdings of banking entities that are 
subject to filing Call Report or Y— 9C data, including insured depository institutions, bank hold- 
ing companies and certain savings and loan holdings companies. 
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the $300 billion market for U.S. CLOs, with these holdings 
skewed toward the senior tranches. ^ These aggregate holdings 
reflect an unrealized net gain. Unrealized losses reported by 
individual banking entities are not significant relative to their 
tier 1 capital or income. Up to 52 domestic insured depository 
institutions (all charters) reported holdings of CLOs in their 
held-to-maturity, AFS and trading portfolios. 

To address the concerns regarding CLOs, the Federal Reserve 
Board issued a statement that it intends to grant two additional 
1-year extensions of the conformance period under the Volcker Rule 
that allow banking entities additional time to conform to the stat- 
ute ownership interests in and sponsorship of CLOs in place as of 
December 31, 2013, that do not qualify for the exclusion in the 
final rule for loan securitizations.® The FDIC supports the state- 
ment issued by the Federal Reserve Board. 

Q.6. Since the final Volcker rule was issued in December, the af- 
fected entities have recognized two issues with the final rule 
(TruPS CDOs and CLOs). What other issues with the final Volcker 
rule are your agencies aware of that may be raised by affected enti- 
ties? How do you intend to coordinate efforts on clarifying such 
issues in the future? 

A.6. In the agencies’ release for community banks that accom- 
panied the Final Rule, the agencies noted that a few community 
banks held TruPS CDOs and CLOs that would be affected by the 
rule.® The TruPS CDO issue was the most pressing because the 
TruPS CDOs had lost so much value that the immediate account- 
ing impact was substantial. The agencies worked together on the 
TruPS CDO issue and approved the January 14, 2014, Interim 
Final Rule to address bank investments in certain TruPS CDOs. 
With respect to the CLO issues raised by industry, the agencies 
conducted extensive analysis and met with a number of banking 
and financial services industry groups, as described in more detail 
in the answer to question 5. As a result of this process, the Federal 
Reserve recently issued a statement which announced its intent to 
offer two 1-year extensions to the Final Rule conformance period 
for certain CLOs. The agencies believe that the extension should 
address the compliance issues for many of the legacy CLOs that do 
not meet the loan securitization exemption, allowing many of them 
to mature or be called by investors, and should provide more time 
for CLO managers to evaluate and possibly change the composition 
of the underlying assets to bring the CLOs into conformance. 

The agencies are committed to continued coordination efforts to 
clarify any additional issues or concerns that may be raised with 
respect to the implementation of the Volcker Rule. To better effec- 
tuate coordination and help ensure a consistent application of the 
Final Rule, the agencies have established an interagency Volcker 
Rule implementation working group consisting of senior-level man- 
agers and subject matter experts. This working group has been 


^ OCC supervised institutions hold the majority (95 percent) of this CLO exposure. These posi- 
tions are concentrated in the largest institutions and are held mainly in the AFS portfolio. 

^ Based on Call Report data as of December 31, 2013. 

® See Board Statement regarding the Treatment of Collateralized Loan Obligations Under Sec- 
tion 13 of the Bank Holding Company Act (April 3, 2014). 

® http : / / fdic.gov / regulations / reform / volcker / summary.pdf 
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meeting weekly to discuss coordination matters as well as issues 
such as those related to technical interpretations and specific ac- 
tivities, like those raised on TruPS CDOs and CLOs. 

Q.7. How do you plan to coordinate with other agencies regarding 
enforcement matters and the final Volcker rule, given that your 
agencies have varied jurisdictions? 

A.7. Each agency is ultimately responsible for its own enforcement 
of the Volcker Rule; however, as noted previously, the agencies are 
committed to continued coordination efforts to help ensure a con- 
sistent application of the rule. As noted above, the agencies have 
established a Volcker Rule implementation working group to facili- 
tate interagency coordination on a wide variety of issues. 

Q.8. On January 10, 2014, the Federal Reserve and the FDIC made 
available the public portions of resolution plans for 116 institutions 
that submitted plans for the first time in December 2013, the latest 
group to file resolution plans with the agencies. These living wills 
are based on a premise that when a financial firm is near the 
brink, there will be a marketplace where buyers for assets and op- 
erations are available, but that may not be the case as was evident 
with Lehman’s 2008 collapse when no one wanted to touch what 
was perceived as Lehman’s “toxic assets.” What specifically gives 
you confidence that these living wills will work in the first place 
and that there will be willing buyers for the troubled firm’s assets? 
A.8. The 116 plans represent the latest set of institutions to file 
their initial plans. The FDIC and the Federal Reserve currently are 
in the process of reviewing these resolution plans (or “living wills”), 
as we have done for the plans filed earlier in 2013 and in 2012. 
Under the standards provided in section 165(d) of the Dodd-Frank 
Act, certain firms, known as “covered companies,” are required to 
submit plans for their rapid and orderly resolution under the Bank- 
ruptcy Code in the event of their material financial distress or fail- 
ure. The resolution plan rule jointly promulgated by the FDIC and 
the Federal Reserve, which implements the statutory requirement 
of section 165(d), directs covered companies to include, among other 
items, a discussion of key assumptions and supporting analysis un- 
derlying the covered company’s resolution plan and the processes 
the company employs to assess the feasibility of any sales, 
restructurings, or divestures contemplated in the resolution plan. 
Therefore, to the extent that a firm presents a resolution plan in 
which certain assets of a troubled firm will be sold as a key part 
of its resolution strategy, the firm would need to provide sup- 
porting analysis. In addition, the resolution plans may present op- 
tions for resolution other than asset sales that are consistent with 
bankruptcy (such as restructurings, for example). If the FDIC and 
the Federal Reserve jointly determine that a resolution plan would 
not facilitate an orderly resolution of the covered company under 
the Bankruptcy Code, the FDIC and the Federal Reserve will notify 
the filer of the aspects of the plan that were jointly determined to 
be deficient. The filer must re-submit within 90 days (or other spec- 
ified timeframe) a revised plan that addresses the deficiencies. 
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RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ 
FROM MARTIN J. GRUENBERG 

Q.l. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security standards? 
Currently, most standards are set by contract — with the card com- 
panies playing a significant role — and an industry body known as 
PCI determines most of the details and certifies compliance exam- 
iners. Should Federal regulators be playing a greater role? 

A.l. The FDIC recognizes the importance of effective self-regu- 
latory standards such as PCI data security standards that set ex- 
pectations between regulated card companies and businesses that 
handle payment card data, including retailers, payment processors, 
and others. While such self-regulatory models are an important 
part of data security, the Federal banking agencies also established 
data security standards for financial institutions and those compa- 
nies that do business with financial institutions including payment 
processors. These regulatory standards require financial institu- 
tions to develop and implement effective risk assessment and miti- 
gation processes to protect customer information. These regulatory 
standards also require financial institutions to ensure that any 
third-party they do business with is also required contractually to 
comply with the same security rules for protecting customer infor- 
mation. Further, banking rules such as the Federal Reserve’s Regu- 
lation E and Regulation Z are designed to protect consumers from 
payment card fraud, regardless of where a data breach occurs. The 
setting of standards for other aspects of the consumer payments in- 
dustry is outside the Federal financial regulatory structure. Wheth- 
er additional involvement by the Federal banking agencies should 
be authorized when those standards impact supervised institutions 
is a fair question for Congress to consider. 

Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial institutions 
still very clearly feel the effects. Credit and debit card issuers, for 
example, must notify affected customers and issue new cards, and 
will likely end up bearing some portion of the financial losses that 
occur from fraudulent transactions using stolen card information. 
In the chain of a retail payment transaction, security is only as 
strong as its weakest link. 

In addition to the examinations the FDIC conducts regarding 
regulated institutions’ own data security, can you describe the 
FDIC’s oversight with respect to the security of consumer data 
across the entire chain of consumer payment transactions? 

A.2.a. The FDIC’s authority does not span the entire payment net- 
work. However, the Federal banking agencies examine a number of 
nonbank payment processing companies that provide direct serv- 
ices to our regulated financial institutions as authorized by the 
Bank Service Company Act (12 U.S.C. 1867). Examination of these 
service providers attempts to identify potential systemic risks to 
the banking system and potential downstream risks to client 
banks. 

When financial institutions partner with an outside party, they 
are exposed to additional risks, including reputation and financial 
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risk if their customers’ data is compromised. Given these risks, the 
FDIC seeks to ensure that the financial risk from third-party data 
breaches does not undermine the safety and soundness of the fi- 
nancial institutions. 

Q.2.b. Should Federal regulators be taking a greater interest in the 
data security standards applicable to other entities that posses con- 
sumer financial data, beyond just regulated financial institutions? 
Are legislative changes necessary or are there legislative changes 
that would help? 

A.2.b. Regulatory standards for protecting customer information 
(12 C.F.R. 364, Appendix B) address financial institution respon- 
sibilities for data security. Our oversight, through onsite examina- 
tion programs and enforcement authority for compliance failures, is 
designed to ensure data security standards for customer informa- 
tion are effectively implemented. Similarly, the Federal Trade 
Commission (FTC) can enforce standards for protection of customer 
information (16 C.F.R. 314) by all other financial institutions that 
are not insured depository institutions. 

While financial institutions are subject to both industry stand- 
ards and regulatory standards, others, such as merchants, are not 
subject to any national regulatory requirements to protect con- 
sumer data. If Congress chooses to review the Gramm-Leach-Bliley 
Act, or any other law, to determine whether customer protections 
should be expanded to nonfinancial institutions, the FDIC stands 
ready to assist. Further, the FDIC would recommend a review of 
the Bank Service Company Act to determine whether additional 
enforcement authority is necessary for the Federal banking agen- 
cies with respect to nonbank financial institutions that provide di- 
rect services to banks. 

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without con- 
sumers’ knowledge or consent. The financial industry is no excep- 
tion. We have heard reports of lenders, for example, mining online 
data sources to help inform underwriting decisions on consumer 
loans. As companies aggregate more data, however, the con- 
sequences of a breach or improper use become greater. 

The Target breach illustrates the risks consumers face — not just 
of fraud, but also identity theft and other hardships. Compromised 
information included both payment card data and personal infor- 
mation such as names, email addresses, and phone numbers. But 
what if the next breach also involves account payment histories or 
Social Security numbers? As the ways companies use consumer in- 
formation changes, and the amount of consumer data they hold 
grows, how is the FDIC’s approach evolving? Are there steps regu- 
lators are taking — or that Congress should take — to require strong- 
er protections against breaches and improper use, and to mitigate 
harm to consumers? 

A.3. Many nonbank companies aggregate consumer data, including 
credit reporting bureaus, tax preparers, health care providers, in- 
surers, universities, and Government agencies. The FDIC concurs 
that protection of consumer data is critical across all entities. The 
FDIC is charged with ensuring that banks protect consumer data 
as authorized by the Gramm-Leach-Bliley Act (GLBA), Section 
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501(b). In response to GLBA, the FDIC and the other Federal bank 
regulatory agencies developed the Interagency Guidelines Estab- 
lishing Information Security Standards (12 C.F.R. 364, Appendix 
B) to protect customer information. With respect to protecting cus- 
tomer information, GLBA limits the FDIC’s scope of enforcement 
authority to insured depository institutions. As discussed above. 
Congress might wish to review the Bank Service Company Act to 
determine if the Act adequately addresses third-party risk with re- 
spect to companies that provide direct services to banks. 

Q.4.a. A lot of the discussion in the aftermath of the recent data 
breaches has focused on credit and debit card “smart” chip tech- 
nology, since the United States seems to have fallen behind other 
parts of the world such as Western Europe in adopting it. But 
while card chips help to reduce fraud for transactions where a card 
is physically present, and make it harder for thieves to print fake 
cards using stolen information, they do little to reduce fraud for on- 
line, “card-not-present” transactions. 

Are you comfortable with the steps industry is taking to improve 
security and reduce fraud for “card-not-present” transactions? 

A.4.a. As you indicate, card-not-present transactions may pose a 
higher risk to the merchant and the issuing bank. Absent adequate 
transaction authorization, the merchant may hold a greater degree 
of liability should fraud occur. Issuing banks that authorize trans- 
actions without sufficient fraud monitoring tools, or fail to respond 
to suspected compromised account notices from the card networks, 
could take on greater liability. However, the industry continues to 
struggle to provide effective security for “card-not-present” trans- 
actions. More needs to be done to ensure that there are protections 
in place to ensure proper authorization for these kinds of trans- 
actions, and to ensure that customer data remains protected. As 
online commerce continues to grow, so does this risk. With the up- 
coming implementation of the Europay, MasterCard and Visa 
(EMV) standard, there could potentially be a shift in fraud toward 
card-not-present transactions. To counter that potential, the indus- 
try should consider adopting new standards and technology. Exam- 
ples include tokenization and end-to-end encryption as potential so- 
lutions. 

Q.4.b. Banks and other industry participants need to be proactive 
here, rather than waiting for a major breach to happen before mak- 
ing protective investments. Do you feel that regulated institutions 
are paying sufficient attention to all areas of data security risk, 
and are making the necessary investments to protect consumers 
rather than treating fraud as simply a cost of doing business? 

A.4.b. As a general matter, the EDIC believes that the banks it su- 
pervises are complying with data security requirements and mak- 
ing necessary investments to protect customers from fraud. The 
FI)IC assesses a financial institution’s efforts to protect itself from 
financial risks such as fraud losses through risk mitigation proc- 
esses, such as credit risk management and establishing credit risk 
reserves. Eurther, the Interagency Guidelines Establishing Infor- 
mation Security Standards require financial institutions to imple- 
ment an information security program that assesses risks to cus- 
tomer information, regardless of the potential for fraud losses. Such 
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a program must assess risks to the confidentiality, integrity, and 
availability of customer information. The FDIC assesses the effec- 
tiveness of this program in banks we supervise as part of the 
FDIC’s onsite examination process. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM 
MARTIN J. GRUENBERG 

Q.l. FSOC has been in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
teria followed, as well as the implications and process to be fol- 
lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.l. The FSOC has worked to ensure that the designation of firms 
follows processes that provide transparency and certainty to com- 
panies, market participants, and members of the public and incor- 
porates the specific statutory considerations of Section 113 of the 
Dodd-Frank Act governing designation of nonbank companies. At 
the same time, the FSOC is mindful of nonbank financial compa- 
nies’ concerns that sensitive firm-specific nonpublic information be 
protected from disclosure. To provide transparency and clarity re- 
garding its designation process, the FSOC issued, after notice and 
public comment, a final rule and interpretative guidance in April 
2012. The public comment process helped to ensure that key issues 
were fully considered and transparent to the public. 

The interpretative guidance details the FSOC’s analytical frame- 
work for designation of nonbank financial companies and includes 
quantitative metrics. The analysis performed on each individual 
company considered for designation requires analysis of nonpublic 
information, which may be provided by the company’s regulators 
and by the company itself in response to requests from the FSOC. 
The company is provided with the basis for the FSOC’s proposed 
determination and may request a hearing to contest the determina- 
tion. In addition, the FSOC has adopted policies to ensure that the 
processes are as transparent as practicable to the public. After a 
final designation, a document explaining the basis for its deter- 
mination to designate a company and minutes of the designation 
votes are posted to the FSOC’s public Web site. 

Following a firm’s designation as a SIFI, the implications and 
process to be followed are set out in the Dodd-Frank Act. The Fed- 
eral Reserve, as primary Federal regulator, develops the prudential 
standards that will be applicable to nonbank designated firms, 
under section 165 of the Dodd-Frank Act, for its ongoing super- 
vision of these firms. In addition, the FDIC and the Federal Re- 
serve Board meet with the newly designated firms to provide guid- 
ance for the preparation of their resolution plans under Title I of 
the Dodd-Frank Act. 
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The FDIC, as a member of the FSOC, is committed to the issue 
of transparency and takes these concerns as well as suggestions for 
improvement very seriously. As reporting requirements evolve and 
new information about certain industries and nonbank financial 
companies become available, the FSOC will be better able to con- 
sider whether changes to assure transparency of the designation 
process are needed. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. The agencies have taken the industry concerns regarding the 
treatment of CLOs under the Volcker Rule very seriously and, 
since the issue was first raised, have devoted considerable effort 
and staff resources to examining the industry concerns. For exam- 
ple, the agencies’ staffs jointly have met with representatives of the 
Loan Syndication Trade Association, the American Bankers Asso- 
ciation, the Structured Finance Industry Group, the Financial 
Services Roundtable and the Securities Industry and Financial 
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Markets Association. Based on these discussions with the industry 
representatives, a review of data provided by market participants 
and discussions among the staffs of the agencies, we have found: 

• Banking entities that hold legacy CLOs are undertaking a re- 
view of their particular holdings to evaluate where they fit 
within the treatment of covered funds under the agencies’ im- 
plementing regulations. Industry representatives have advised 
the staffs of the agencies that there is a great amount of vari- 
ation from deal to deal in the restrictions applicable to invest- 
ments permitted for CLOs and the rights granted to CLO in- 
vestors. In addition, staffs of the agencies understand from the 
industry that many legacy CLOs may not satisfy the exclusion 
from the definition of covered fund for loan securitizations be- 
cause they may hold a certain amount of nonconforming assets 
(such as bonds or other securities). 

• New CLO issuances have been comparable in volume to the 
CLOs issued prior to the adoption of the implementing rules 
and sponsors have revised their new CLO deals to conform to 
the Volcker Rule’s exception for loan securitizations. In par- 
ticular, market participants have represented that new 
issuances of CLOs in late 2013 and early 2014 after issuance 
of the final rule are conforming to the final rule.^ 

• Data contained in the Call Report and Y9-C forms for asset- 
backed securities or structured financial products secured by 
corporate and similar loans indicate that U.S. banking entities 
hold between approximately $84 billion and $105 billion in 
CLO investments. 2 Of this amount, between approximately 94 
and 96 percent are held by banking entities with total assets 
of $50 billion or more. Holdings of CLOs by domestic banking 
entities represent between approximately 28 to 35 percent of 
the $300 billion market for U.S. CLOs, with these holdings 
skewed toward the senior tranches. ^ These aggregate holdings 
reflect an unrealized net gain. Unrealized losses reported by 
individual banking entities are not significant relative to their 
tier 1 capital or income. Up to 52 domestic insured depository 
institutions (all charters) reported holdings of CLOs in their 
held-to-maturity, AFS and trading portfolios."^ 

To address the concerns regarding CLOs, the Federal Reserve 
Board issued a statement that it intends to grant two additional 
1-year extensions of the conformance period under section 619 that 
allow banking entities additional time to conform to the statute 
ownership interests in and sponsorship of CLOs in place as of De- 
cember 31, 2013, that do not qualify for the exclusion in the final 


^According to S&P, the majority of CLOs issued since the final rule have been structured as 
loan-only securitizations. First quarter 2014 CLO issuance stands at approximately $21 billion, 
according to Thomson Reuters PLC. 

2 This information is based on data compiled as of December 31, 2013, by the Federal banking 
agencies, which undertook a review and analysis of CLO holdings of banking entities that are 
subject to filing Call Report or Y— 9C data, including insured depository institutions, bank hold- 
ing companies and certain savings and loan holdings companies. 

^ OCC supervised institutions hold the majority (95 percent) of this CLO exposure. These posi- 
tions are concentrated in the largest institutions and are held mainly in the AFS portfolio. 

^ Based on Call Report data as of December 31, 2013. 
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rule for loan securitizations.® The FDIC supports the statement 
issued by the Federal Reserve Board. 

Q.3. On a related point, we have heard that some are of the view 
that the guidance being sought by industry in connection with CLO 
debt securities is too broad. Isn’t it the case that all the agencies 
have to do is issue extremely narrow guidance that states that a 
CLO debt security that has the right to replace a manager for 
cause, without any other indicia of ownership, will not be Seated 
as an “ownership interest” under the Volcker Rule? Even if we 
were to concede (which we do not) that it would be difficult for the 
agencies to grant the requested relief, couldn’t the agencies address 
the issue of legacy CLO securities by simply agreeing (as they did 
in the context of CDOs of Trumps) to grandfather all existing CLO 
debt securities for CLOs issued prior to the publication of the final 
rules in the Federal Register? Wouldn’t this very narrow relief fix 
the problem for banks that purchased CLO debt securities in good 
faith prior to the issuance of the final rule but are now facing po- 
tentially material losses? 

A.3. As noted above in the answer to question 2, the agencies have 
carefully considered the banking industry’s concerns regarding 
bank CLO investments and their treatment under the Volcker 
Rule. After extensive interagency review of these issues, the Fed- 
eral Reserve issued its statement announcing it would extend the 
conformance period for two additional years for certain CLOs. The 
agencies believe that the extension should address the compliance 
issues for many of the legacy CLOs that do not meet the loan 
securitization exemption, allowing many of them to mature or be 
called by investors, and should provide more time for CLO man- 
agers to evaluate and possibly change the composition of the under- 
lying assets to bring the CLOs into conformance. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM THOMAS J. CURRY 

Q.l. When a data breach happens at a merchant level. Federal 
banking regulators generally do not have jurisdiction to investigate 
and tafe action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.l. Banks and Federal savings associations (referenced here as 
“banks”) are required to be on the alert for identity theft involving 
its customers’ information, no matter how and where the identity 
thief acquired the information, even if the information was ac- 
quired from a third party that has no relationship with the bank. 
Following the enactment of the Fair and Accurate Credit Trans- 
actions Act (FACT Act), the Federal banking agencies together with 


® See Board Statement regarding the Treatment of Collateralized Loan Obligations Under Sec- 
tion 13 of the Bank Holding Company Act (April 3, 2014). 
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the Federal Trade Commission issued regulations in 2008 titled 
“Identity Theft Red Flags and Address Discrepancies.” The final 
rules require each financial institution and creditor to develop and 
implement a written identity theft prevention program that in- 
cludes policies and procedures for detecting, preventing, and miti- 
gating identity theft in connection with new and existing accounts. 
The program must cover any consumer account, or any other ac- 
count that the financial institution or creditor offers or maintains 
for which there is a reasonably foreseeable risk to consumers or to 
the safety and soundness of the financial institution or creditor 
from identity theft. In addition, it must include policies and proce- 
dures to identify relevant red flags signaling possible identity theft, 
detect the red flags incorporated into the program, respond appro- 
priately to the red flags that are detected, and ensure the program 
is updated periodically to reflect changes in risks to customers and 
to the institution from identity theft. 

The agencies also issued guidelines to assist financial institu- 
tions to develop and implement an identity theft prevention pro- 
gram. These guidelines state that when a bank detects identity 
fiieft red flags, it is expected to respond appropriately by taking 
steps that include monitoring accounts, contacting the customer, 
changing passwords, closing and reopening the account, and noti- 
fying law enforcement, as appropriate. 

The guidelines also include a supplement that identifies 26 pat- 
terns, practices, and specific forms of activity that are “identity 
theft red flags.” These include alerts, notifications, or other warn- 
ings received from consumer reporting agencies or service pro- 
viders, the presentation of suspicious documents or suspicious per- 
sonal identifying information, the unusual use of, or other sus- 
picious activity related to, a covered account, or notice from cus- 
tomers, victims of identity theft, or law enforcement authorities. 

Recent events, such as the information security breaches at Tar- 
get and Neiman Marcus, highlight the sophisticated nature of 
evolving cyber threats, as well as the interdependencies that exist 
in today’s payment systems. They underscore the challenges and 
costs that banks can face when their customers’ data is breached 
through technologies controlled and overseen by a third party such 
as point-of-sale card readers at a merchant. Banks have borne the 
expense of replacing cards, providing credit-monitoring services, re- 
sponding to high volumes of customer inquiries, monitoring for 
fraudulent transactions, and reimbursing customers for fraud 
losses. 

Because of the interdependencies within retail payment systems, 
solutions to these issues will require cooperation among multiple 
entities and oversight bodies. The OCC supports recent efforts by 
the industry to work with the different stakeholders within the re- 
tail payment systems to develop approaches to minimize the risks 
and address challenges faced by banks. This includes efforts to de- 
velop new technologies and tools that will enhance the overall secu- 
rity of the retail payment systems. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
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you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. The payment technology discussed in the February 3 hearing 
is known as EMV, also called “chip and pin” and “chip and signa- 
ture.” While some banks and credit unions already issue chip 
cards, implementing a fully functioning EMV system is complex 
and will require a coordinated approach across retail payment sys- 
tems, and among financial institutions, merchants and consumers. 
For example, ATM networks and point-of-sale systems must be 
reconfigured to accept the new cards. In many cases, existing hard- 
ware may need to be replaced to accept newer technologies. Given 
the multifaceted challenges and interdependent systems that must 
be successfully coordinated across banks and merchants, we under- 
stand that full implementation may extend beyond the 2015 time- 
frame. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIFIs. Would you all be willing to sup- 
port more reliance on measurable metrics in FSOC’s designation 
process? 

A.3. I believe the designation process used by the FSOC strikes an 
appropriate balance in using a combination of uniform metrics, 
supplemented with more in-depth quantitative and qualitative as- 
sessments to make a designation determination. To provide trans- 
parency and clarity, the FSOC published for comment its proposed 
rule and interpretative guidance that explained the process, factors 
and key metrics the Council would use in its designation process. 
The Council’s interpretative guidance set forth the Council’s three- 
stage process and analytical framework for analyzing firms. Within 
that guidance and as part of its stage 1 analysis, the guidance 
identified a set of measurable, uniform metrics that are used to 
identify firms that warrant more in-depth review and analysis. 
Firms that meet the stage 1 metrics laid out in the guidance are 
subject to further review and analysis based on six key categories 
of risk factors. Those factors, and examples of metrics that FSOC 
will use to evaluate those risks factors, were also described in the 
guidance. 

As noted in the preamble to the final designation rule and inter- 
pretative guidance, the Council intends to review the quantitative 
thresholds as reporting requirements evolve and new information 
about certain industries and nonbank financial data becomes avail- 
able. While I would support such refinements to the designation 
process, I believe it would be a mistake to design a framework that 
relies solely on a set of quantitative metrics or algorithms to make 
a determination decision. I believe each firm must be evaluated 
with respect to its individual risk profile and the nature of its oper- 
ations. This need for a tailored analysis is why the Council’s proc- 
ess includes substantial opportunities for communications with, 
and responses by, firms that are under consideration for deter- 
mination. 

Q.4. Please explain how and why the agencies failed to foresee the 
accounting issue with the treatment of the Trust Preferred 
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Collateralized Debt Obligations (TruPS CDOs) in the final Volcker 
Rule. Did the proposed rule include requisite language seeking 
public comment on TruPS CDOs, as finalized? If so, please provide 
that language from the proposed rule. If not, please explain why 
the proposal did not seek that specific information and whether the 
agencies believe they satisfied the notice-and-comment require- 
ments under the Administrative Procedure Act. 

A.4. The TruPS CDOs that raised the accounting issue were cov- 
ered by the Agencies’ implementing regulations because they have 
features that bring them within the definition of “ownership inter- 
est.” The Notice of Proposed Rulemaking (76 Fed. Reg. 68,846) dis- 
cussed the Agencies’ proposed definition of “ownership interest” in 
covered funds, in connection with implementing the Volcker Rule’s 
prohibition against banking entity holdings of covered funds (p. 
68,897). The proposal went on to request comment on whether the 
proposed definitions of “ownership interest” in covered funds posed 
unique concerns or challenges with respect to specific classes of in- 
struments, specifically including Collateralized Debt Obligations (p. 
68,899). Commenters did not raise concerns about TruPS CDOs. 

Q.5. What specific efforts are the regulators considering to address 
the issue with the Collateralized Loan Obligations (CLOs) in the 
final Volcker rule? In Governor Tarullo’s testimony before the 
House Financial Services Committee, he stated that the CLO issue 
is “already at the top of the list” for regulators to consider and fix. 
How many financial institutions are impacted by the final rule’s 
treatment of CLOs? 

A.5. Based on Call Report information for year-end 2013, 51 do- 
mestic banks reported CLO holdings. The OCC is the supervisor of 
26 of these banks, which hold 95 percent of the CLO holdings re- 
ported by all 51 banks in the Call Reports. Holding of CLOs is ex- 
tremely concentrated in large banks, two of which hold far more 
than the other banks combined. Although some banks reported un- 
realized losses on their CLO portfolios, they were the exception to 
the rule, and the unrealized losses were not significant relative to 
tier 1 capital or earnings. On April 7, 2014, the Federal Reserve 
Board issued a statement announcing its intention, consistent with 
the statute, to grant two additional 1-year extensions of the con- 
formance period — until July 2017 — for legacy CLOs. A number of 
these legacy CLOs will have matured under their own terms and 
repaid their principal balances by that time. With respect to those 
that have not matured, the OCC does not anticipate significant ad- 
verse effects on capital or earnings overall with respect to the insti- 
tutions we supervise. 

Q.6. Since the final Volcker rule was issued in December, the af- 
fected entities have recognized two issues with the final rule 
(TruPS CDOs and CLOs). What other issues with the final Volcker 
rule are your agencies aware of that may be raised by affected enti- 
ties? How do you intend to coordinate efforts on clarifying such 
issues in the future? 

A.6. The Agencies are receiving requests for further guidance on a 
range of matters. For example, the OCC has received questions re- 
garding the metrics reporting requirements, including about (i) the 
timeframes for when the largest trading banking entities must 
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begin collecting metrics and filing their first reports; and (ii) the 
systems necessary for collecting and reporting metrics. The OCC 
has led the formation of an interagency working group to address 
and collaborate on developing responses to key supervisory issues 
that arise under the final regulations. The interagency group held 
its first meeting in late January and is continuing to meet on a 
regular basis. The Agencies are working to ensure consistency in 
application of the final regulations. Through our examination and 
supervisory staff, the OCC also is working with the institutions we 
supervise to ensure that they are preparing to conform with the 
implementing regulations when the conformance period concludes. 

Q.7. How do you plan to coordinate with other agencies regarding 
enforcement matters and the final Volcker rule, given that your 
agencies have varied jurisdictions? 

A.7. As noted in the response to the previous question, through our 
examination and supervisory staff, the OCC also is working with 
the institutions we supervise to ensure that they are preparing to 
conform with the implementing regulations. After the close of the 
conformance period, we will examine for compliance with the 
Volcker Rule and, in a case of noncompliance, will take appropriate 
supervisory or enforcement action. In cases where our work impli- 
cates institutions subject to regulation or supervision by other 
agencies, we will coordinate closely with those agencies. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ 
FROM THOMAS J. CURRY 

Q.l. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security standards? 
Currently, most standards are set by contract — with the card com- 
panies playing a significant role — and an industry body known as 
PCI determines most of the details and certifies compliance exam- 
iners. Should Federal regulators be playing a greater role? 

A.l. The OCC sets standards for financial institutions that we su- 
pervise. We are following the industry led efforts to respond to the 
evolving cybersecurity threats. The Payment Card Industry (PCI) 
Security Standards Council develops, maintains and manages the 
PCI Security Standards, such as the PCI-Data Security Standards 
(PCI-DSS). The PCI security standards are detailed and have been 
recently updated (November 2013). The bank regulators have an 
important role in evaluating the risk exposure of the banks in the 
system and consider PCI-DSS compliance in addition to compli- 
ance with the Federal Financial Institutions Examination Council 
(FFIEC) and OCC-related guidance in the examination process. 

The OCC is in the process of assessing the existing regulatory 
structure, enforcement authorities, and statutory authorities to en- 
sure they are adequate for the existing cybersecurity threat. 

Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial institutions 
still very clearly feel the effects. Credit and debit card issuers, for 
example, must notify affected customers and issue new cards, and 
will likely end up bearing some portion of the financial losses that 
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occur from fraudulent transactions using stolen card information. 
In the chain of a retail payment transaction, security is only as 
strong as its weakest link. 

In addition to the examinations the OCC conducts regarding reg- 
ulated institutions’ own data security, can you describe the OCC’s 
oversight with respect to the security of consumer data across the 
entire chain of consumer payment transactions? 

A.2.a. Banks provide essential retail payment transaction services 
to businesses and customers; issuing credit and debit cards to cus- 
tomers, authorizing transactions for merchants, and then acquiring 
those transactions. A few provide clearing and settlement services 
for merchants. The OCC supervises banks and their services pro- 
viders. However, the OCC does not oversee the security of con- 
sumer data across the entire chain of consumer payment trans- 
actions. 

The OCC examines banks and their service providers for compli- 
ance with the interagency information security guidelines issues by 
the OCC pursuant to the Gramm-Leach-Bliley Act, in conjunction 
with the Federal Deposit Insurance Corporation (FDIC) and the 
Board of Governors of the Federal Reserve System (Federal Re- 
serve) (collectively, the FBAs). These interagency guidelines require 
each bank to develop and implement a formal information security 
program. Banks and their service providers are examined for the 
capacity to safeguard their systems against cyber attacks and their 
ability to ensure the security and confidentiality of customer infor- 
mation. The OCC also ascertains whether banks have strong and 
well-coordinated incident response programs that can be imple- 
mented if a cyber attack or security breach does occur. 

While the guidelines require a bank to safeguard the customer 
information it maintains or that is maintained by a third party on 
its behalf, each bank is also required to be on the alert for identity 
theft involving its customers’ information, no matter how and 
where the information was acquired. The OCC examines banks for 
compliance with interagency regulations issued by the OCC pursu- 
ant to the Fair and Accurate Credit Transactions Act (FACT Act), 
by the FBAs together with the Federal Trade Commission titled 
“Identity Theft Red Flags and Address Discrepancies.” The final 
rules require each financial institution and creditor to develop and 
implement a written identity theft prevention program that in- 
cludes policies and procedures for detecting, preventing, and miti- 
gating identity theft in connection with new and existing accounts. 
The program must cover any consumer account, or any other ac- 
count that the financial institution or creditor offers or maintains 
for which there is a reasonably foreseeable risk to consumers or to 
the safety and soundness of the financial institution or creditor 
from identity theft. In addition, it must include policies and proce- 
dures to identify relevant red flags signaling the possibility of iden- 
tify theft, detect red flags incorporated into the program, respond 
appropriately to the red flags that are detected, and ensure the 
program is updated periodically to reflect changes in risks to cus- 
tomers and to the institution from identity theft. 

The Agencies also issued guidelines to assist covered entities in 
developing and implementing an identity theft prevention program. 
The guidelines include a supplement that identifies 26 patterns. 
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practices, and specific forms of activity that are “red flags.” These 
include alerts, notifications, or other warnings received from con- 
sumer reporting agencies or service providers, the presentation of 
suspicious documents or suspicious personal identifying informa- 
tion, the unusual use of, or other suspicious activity related to, a 
covered account, or notice from customers, victims of identity theft, 
or law enforcement authorities. When a bank detects identity theft 
red flags, the bank is expected to respond appropriately by taking 
steps that include monitoring accounts, contacting the customer, 
changing passwords, closing and reopening the account, and noti- 
fying law enforcement, as appropriate. 

Q.2.b. Should Federal regulators be taking a greater interest in the 
data security standards applicable to other entities that possess 
consumer financial data, beyond just regulated financial institu- 
tions? Are legislative changes necessary or are there legislative 
changes that would help? 

A.2.b. The OCC recognizes the need to protect critical infrastruc- 
ture and customer information across all sectors of the economy. 
We support legislation aimed at achieving these goals, except to the 
extent that such legislation would weaken or duplicate the existing 
information security, data protection, and consumer notice require- 
ments already applicable to banks. 

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without con- 
sumers’ knowledge or consent. The financial industry is no excep- 
tion. We have heard reports of lenders, for example, mining online 
data sources to help inform underwriting decisions on consumer 
loans. As companies aggregate more data, however, the con- 
sequences of a breach or improper use become greater. 

The Target breach illustrates the risks consumers face — not just 
of fraud, but also identity theft and other hardships. Compromised 
information included both payment card data and personal infor- 
mation such as names, email addresses, and phone numbers. But 
what if the next breach also involves account payment histories or 
Social Security numbers? As the ways companies use consumer in- 
formation changes, and the amount of consumer data they hold 
grows, how is the OCC’s approach evolving? Are there steps regu- 
lators are taking — or that Congress should take — to require strong- 
er protections against breaches and improper use, and to mitigate 
harm to consumers? 

A.3. Ensuring the industry’s defenses against cyber attacks is an 
important issue for the OCC. While the banking sector is highly 
regulated and has been subject to stringent information security re- 
quirements for decades, we recognize that both our supervision and 
our guidance to banks must be regularly updated to keep pace with 
the rapidly changing nature of cyb^er threats. 

The OCC has an information technology (IT) examination pro- 
gram that includes training examiners, updating and implementing 
IT risk management policy through guidance, alerts, and hand- 
books, and regular onsite examination of banks’ IT programs. 

We have also helped coordinate a series of classified briefings for 
banks, third-party service providers, and examiners. These brief- 
ings are an effective way to provide the industry with information 
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needed to anticipate and prepare for attacks. We have also con- 
ducted a number of other outreach events, including a security and 
threat awareness teleconference for community banks and thrifts 
that attracted over 750 institutions. 

When I became Chairman of the FFIEC, I called for the creation 
of a working group on cybersecurity issues to be housed under the 
FFIEC’s task force on supervision. The working group has already 
begun to meet with intelligence, law enforcement, and homeland 
security officials, and it is exploring additional approaches bank 
regulators can take to ensure that institutions of all sizes have the 
ability to safeguard their systems. This working group will also 
consider how best to implement the President’s Executive Order on 
Cybersecurity, as well as how to address recommendations of the 
ESOC. 

In addition, as mentioned above, the OCC recognizes the need to 
protect critical infrastructure and customer information across all 
sectors of the economy, especially with respect to sectors upon 
which banks are dependent, such as telecommunications. We sup- 
port legislation aimed at achieving these goals, except to the extent 
that such legislation would weaken or duplicate the existing infor- 
mation security, data protection, and the consumer notice require- 
ments already applicable to banks. 

Q.4.a. A lot of the discussion in the aftermath of the recent data 
breaches has focused on credit and debit card “smart” chip tech- 
nology, since the United States seems to have fallen behind other 
parts of the world such as Western Europe in adopting it. But 
while card chips help to reduce fraud for transactions where a card 
is physically present, and make it harder for thieves to print fake 
cards using stolen information, they do little to reduce fraud for on- 
line, “card-not-present” transactions. 

Are you comfortable with the steps industry is taking to improve 
security and reduce fraud for “card-not-present” transactions? 

A.4.a. The banking industry is looking into a number of new tech- 
nologies and business processes to improve security and reduce 
fraud. The largest institutions, in particular, have made significant 
investments in ways to improve security and reduce fraud. As your 
question acknowledges, while some technologies such as “chip and 
pin” may mitigate one source of vulnerability, they could accen- 
tuate other vulnerabilities. Eor this reason, there are additional in- 
dustry efforts underway to explore other emerging technologies 
such as biometrics, geolocation and forms of dynamic authentica- 
tion other than “chip and pin.” Some of these potential solutions 
however, may raise other concerns such as consumer privacy that 
will need to be carefully considered. 

Q.4.b. Banks and other industry participants need to be proactive 
here, rather than waiting for a major breach to happen before mak- 
ing protective investments. Do you feel that regulated institutions 
are paying sufficient attention to all areas of data security risk, 
and are making the necessary investments to protect consumers 
rather than treating fraud as simply a cost of doing business? 

A.4.b. Cybersecurity is an important priority for the OCC and we 
have been conducting extensive outreach to our institutions to 
draw their attention to the importance of data security. We empha- 
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size that it is an operational risk that needs to he part of institu- 
tions’ overall enterprise risk management and receive attention 
from senior management and the board of directors. From our out- 
reach efforts, we believe that senior financial institution executives 
understand that addressing cyber risks is a serious priority for 
their institutions, and, as noted above, they are exploring enhance- 
ments to existing technology to help to protect consumers’ informa- 
tion. The OCC supports new technologies and tools that will en- 
hance the overall security of retail payment systems. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM 

THOMAS J. CURRY 

Q.l. FSOC has been in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
teria followed, as well as the implications and process to be fol- 
lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.I. I believe the designation process used by FSOC strikes an ap- 
propriate balance in providing transparency to the public about the 
factors used by the Council in making its determinations while al- 
lowing for a robust evaluation, based on each firm’s unique cir- 
cumstances, that also protects the confidentiality of firm-specific 
proprietary and supervisory information. For example, to provide 
transparency and clarity, the FSOC published for comment its pro- 
posed rule and interpretative guidance that explained the process, 
factors and key metrics the Council would use in its designation 
process. The Council’s interpretative guidance set forth the Coun- 
cil’s three-stage process and analytical framework for analyzing 
firms. Within that guidance and as part of its stage 1 analysis, the 
guidance identified a set of measurable, uniform metrics that are 
used to identify firms that warrant more in-depth review and anal- 
ysis. Firms that meet the stage 1 metrics laid out in the guidance 
are subject to further review and analysis based on six key cat- 
egories of risk factors. Those factors, and examples of metrics that 
FSOC will use to evaluate those risks factors, were also described 
in the guidance. 

With respect to the Council’s actions for individual firms, a firm 
that is being actively considered for designation is sent a written 
notice that it is being considered for designation. That notice pro- 
vides the firm with a preliminary, in-depth analysis of the Coun- 
cil’s assessment of the firm, including key risk factors and metrics 
that the Council used in its assessment. During this stage, firms 
have an extensive opportunity to respond to those preliminary as- 
sessments through the submission of written materials and meet- 
ings and discussions with Council staff. If, at the conclusion of 
those discussions and analysis, the Council decides to make a de- 
termination, the firm is provided with a notice of proposed deter- 
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mination that includes an explanation of the basis for the Council’s 
action and is given the opportunity to request a formal hearing be- 
fore a final determination is made. To provide transparency of the 
Council’s final decision to designate a firm, the Council’s resolution 
and votes for the decision, along with any dissenting opinion, is 
posted to the Council’s Web site, along with a summary that pro- 
vides the basis and criteria used and the rationale for the designa- 
tion. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. On April 7, 2014, the Federal Reserve Board issued a state- 
ment announcing its intention, consistent with the statute, to grant 
two additional 1-year extensions of the conformance period — until 
July 2017 — for legacy CLOs. A number of these legacy CLOs will 
have matured under their own terms and repaid their principal 
balances by that time. With respect to those that have not ma- 
tured, the OCC does not anticipate significant adverse effects on 
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capital or earnings overall with respect to the institutions we su- 
pervise. Market participants indicate that new issuances have been 
structured so as to comply with Volcker Rule requirements for 
banking entity portfolio investments. I would note that CLO 
issuances for April were $12.3 billion, the highest monthly volume 
since the financial crisis, and that the total issuance for 2014 is al- 
ready $31.7 billion, putting it on pace to exceed last year’s total vol- 
ume. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM MARY JO WHITE 

Q.l. When a data breach happens at a merchant level. Federal 
banking regulators generally do not have jurisdiction to investigate 
and take action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.l. The challenges that face financial institutions as a result of a 
breach at a third party are many and varied. The sophistication of 
the perpetrators continually evolves, and the threats increase in 
complexity on a daily basis. Keeping pace with the challenges that 
we face will take a coordinated Government and industry effort. 

Expectations for Regulated Entities When a Breach Occurs at a 
Third Party 

The Commission has in place rules addressing privacy and iden- 
tity theft to protect investors. Regulations S-P and S-ID work to- 
gether to require covered firms to implement policies and proce- 
dures that are reasonably designed to ensure the security and con- 
fidentiality of customer records and information, including the es- 
tablishment of an identity theft program addressing how to iden- 
tify, detect, and respond to potential identity theft red flags. ^ Enti- 
ties covered under these rules are required to implement measures 
addressing their regulatory obligations, including the oversight of 
service provider arrangements. 

The guidelines contained in Regulation S-ID provide, among 
other things, that regulated entities that engage a service provider 
to perform services related to a covered account should take steps 
to ensure that the service provider has policies and procedures de- 
signed to detect, prevent and mitigate the risk of identity theft. 


^ Regulation S-P requires broker-dealers, investment companies and registered investment ad- 
visers to establish policies and procedures reasonably designed to safeguard customer informa- 
tion and records. It also limits the ability of these firms to disclose nonpublic personal informa- 
tion to unaffiliated third parties. Last year, to implement Section 1088 of the Dodd-Frank Act, 
the SEC and the CFTC jointly adopted Regulation S— ID, which requires certain regulated finan- 
cial institutions and creditors to adopt and implement identity theft programs. Regulation S— 
ID is in effect today and requires covered firms to implement policies and procedures designed 
to: identify relevant t3q)es of identity theft red flags; detect the occurrence of those red flags; 
respond appropriately to the detected red flags; and periodically update the identity theft pro- 
gram. Regulation S-ID also requires entities to provide staff training, oversight of service pro- 
viders, and guidelines for and examples of red flags to help firms administer their programs. 
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Challenges Faced by Financial Institutions as a Result of a Breach 

Possibly the greatest challenge faced by financial institutions and 
regulators alike is the need to be ever vigilant in guarding against 
new and unexpected threats. This generally necessitates good com- 
munication by all affected, as well as foresight in allocating re- 
sources to data and cyber protection. Financial institutions covered 
under the rules that possess customer data, of course, should, and 
are required to, take steps to prevent that data from being placed 
at risk. By way of example, broker-dealers, mutual funds and reg- 
istered investment advisers are required under Regulation S-P and 
Regulation S-ID to implement policies and procedures that address 
safeguarding data and preventing identity theft. Some of the chal- 
lenges facing entities covered under Regulation S-ID relate to im- 
plementing a program that provides for an appropriate response to 
identity theft red flags commensurate with the risk posed. Guide- 
lines contained in Regulation S-ID note that an appropriate re- 
sponse should take into account aggravating factors that may 
heighten the risk of identity theft, such as a data security incident 
that results in unauthorized access to account records, and include 
a number of examples of appropriate responses that a regulated en- 
tity should consider. Appropriate responses may include, among 
others: 

• Monitoring a covered account for evidence of identity theft; 

• Contacting the customer; 

• Changing any password, security codes, or other security de- 
vices that permit access to a covered account; or 

• Notifying law enforcement. 

Addressing Challenges While Minimizing Consequences and Costs 

An entity covered under Regulation S-ID is required to tailor its 
particular identity theft program to its size and complexity and to 
the nature and scope of its activities. Allowing an entity to tailor 
its program to fit its particular circumstances should enable the en- 
tity to better balance an appropriate response against any related 
consequences and costs. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. It is our understanding that the payment systems industry 
has spearheaded the transition to the use of new, more secure pay- 
ment technology, and major industry participants are working to fi- 
nalize this process by October 2015. The SEC’s authority, however, 
generally does not extend to retail payment systems. This authority 
generally resides with banking regulators. For instance, although 
some clients of broker-dealers and mutual funds have the ability to 
obtain debit cards linked to their accounts, the cards themselves 
are issued directly by a bank, and any unauthorized transactions 
processed through retail payments systems are subject to the fraud 
protections of the banking regulations. As a result, the Commission 
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has not been involved in these activities and is not in a position 
to provide additional details concerning them. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIFIs. Would you all be willing to sup- 
port more reliance on measurable metrics in FSOC’s designation 
process? 

A.3. As a voting member of the Financial Stability Oversight Coun- 
cil (FSOC), I believe it is important to be data-driven and rely on 
facts throughout the process for consideration of the potential des- 
ignation of systemically important financial institutions (SIFI). I 
therefore support the thorough and appropriate use of data and 
quantifiable, measurable factors in the SIFI designations process. 
In addition, I would note that the FSOC as a general matter is fo- 
cused on the issue of transparency and enhancing transparency, 
which I consider an important area of focus. 

Q.4. Since the final Volcker rule was issued in December, the af- 
fected entities have recognized two issues with the final rule 
(TruPS CDOs and CLOs). What other issues with the final Volcker 
rule are your agencies aware of that may be raised by affected enti- 
ties? How do you intend to coordinate efforts on clarifying such 
issues in the future? 

A.4. Staffs of the five agencies continue to work together, as they 
did during the rulemaking process, to share information and co- 
ordinate the agencies’ implementation of the Volcker rule. The 
staffs engage in discussions on a regular basis concerning technical 
and other issues concerning the implementation of the Volcker 
rule, including interpretive and other issues raised by affected enti- 
ties, to facilitate coordinated responses by the agencies or their 
staffs as appropriate. The staffs are not able to predict all of the 
issues that affected entities may raise with the final Volcker rule, 
but will continue to evaluate issues identified by affected entities 
and facilitate the agencies’ coordinated consideration of these 
issues. 

Q.5. How do you plan to coordinate with other agencies regarding 
enforcement matters and the final Volcker rule, given that your 
agencies have varied jurisdictions? 

A.5. Section 13 of the Bank Holding Company Act (“BHC Act”) pro- 
vides each agency with authority to adopt and administer rules 
with respect to specific types of legal entities. For instance, section 
13(e)(2) of the BHC Act authorizes the SEC, the Federal banking 
agencies, and the CFTC to take specified actions against a banking 
entity under the respective agency’s jurisdiction if there is reason- 
able cause to believe the banking entity has made an investment 
or engaged in activity that functions as an evasion or otherwise 
violates the restrictions of that section. Banking entities within the 
SEC’s jurisdiction include bank-affiliated, SEC-registered broker- 
dealers, investment advisers, and security-based swap dealers. The 
SEC is authorized to enforce the requirements of section 13 of the 
BHC Act only with respect to the types of banking entity under its 
jurisdiction. The SEC and the other agencies are currently coordi- 
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nating interpretive guidance and will seek to broaden such coordi- 
nation to include examiner training and cooperation in connection 
with enforcing section 13. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY 
FROM MARY JO WHITE 

I greatly appreciate the SEC and CFTC’s efforts in implementing 
key features of Dodd-Frank’s swaps reforms. However, I am very 
concerned about the number and significance of exemptions and no- 
action letters granted by the CFTC and the SEC’s delay in final- 
izing the rules. While I appreciate the CFTC’s commitment to 
working closely with stakeholders and allowing them an adequate 
opportunity to come into compliance, I am concerned that any addi- 
tional delays would be unreasonably exposing Americans to sys- 
temic risks and losing invaluable momentum in the effort to build 
a more stable financial system. 

Could you please lay out as of the date of this hearing: 

Q.l.a. What percentage of U.S. swaps markets, broken down by 
swap-type, have been subject to Title VII requirements for clearing. 
Swap Execution Facility (SEF)-trading, and reporting? 

A.l.a. As you know, the Dodd-Frank Act divided regulatory author- 
ity over U.S. swaps markets between the SEC and the CFTC, with 
the SEC having authority over security-based swaps, the CFTC 
having authority over swaps, and the SEC and CFTC jointly regu- 
lating mixed swaps. SEC staff estimates that security-based 
swaps — principally single-name CDS and equity-related security- 
based swaps — collectively represent less than 5 percent of the over- 
all swaps markets. The CFTC’s rules for clearing, SEF trading, and 
reporting for the swaps markets are in effect; the CFTC should be 
better able to provide you with relevant data for the products 
under its jurisdiction. 

To date, the SEC has proposed all of the rules required by Title 
VII, and we have started the process of adopting Title VII rules. 
These efforts include a comprehensive set of proposed rules focus- 
ing specifically on application of Title VII to cross-border security- 
based swap activity, mandatory clearing, and rules related to trad- 
ing on security-based swap execution facility trading and reporting. 

Q.l.b. What percentage of the global swaps market, broken down 
by swap-type, have been subject to Title Vll-like requirements for 
clearing, SEF-trading, and reporting? 

A.l.b. The FSB’s OTC Derivatives Market Reforms: Sixth Progress 
Report on Implementation, dated September 2013, reported that 
most G20 jurisdictions had legislation in place that allows for adop- 
tion of clearing and trading requirements, but mandatory clearing 
requirements and requirements to trade on organized trading plat- 
forms were only partially in force in a small number of jurisdic- 
tions. With respect to reporting, the FSB reported in September 
that sixteen G20 jurisdictions had legislation and regulations 
adopted to implement trade reporting, of which twelve jurisdictions 
had at least some specific requirements in force. 

The Commission has access to transaction-level data that we be- 
lieve provide reasonably comprehensive information regarding sin- 
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gle-name CDS transactions and the composition of participants in 
the market for single-name CDS. Analyses of these data have 
played a role in shaping the rules we have proposed and adopted 
under Title VII, and have allowed us to quantify certain economic 
effects of these rules. Summary statistics that describe the global 
nature of transactions and market participants are contained on 
pages 393 — through 396 of the SEC’s cross-border proposing re- 
lease. We note, however, that our data comes with several limita- 
tions. While we observe all reported transactions in single-name 
CDS involving U.S. underliers, we do not observe CDS transactions 
involving non-U. S. underliers where neither counterparty is a U.S. 
entity. The limitation on data involving CDS on non-U. S. 
underliers means that we do not have access to the type of data 
on foreign markets that would be necessary to provide you the spe- 
cific percentages you request both in this question and the ques- 
tions below. 

Based on an analysis of transactions in CDS on U.S. underliers. 
Commission staff believes that the vast majority of transactions in 
these CDS involve at least one U.S. or European counterparty, and 
thus are, or are likely to be, subject to Title VII or European re- 
quirements. 

Q.l.c. How much will that percentage change when Europe final- 
izes its rules? 

A.l.c. Based on an analysis of data regarding CDS transactions on 
U.S. underliers, where we believe we have a more complete picture 
of market participation. Commission staff believes that the vast 
majority of those transactions involve at least one U.S. or Euro- 
pean counterparty and thus are, or are likely to be, subject to Title 
VII or European requirements. As noted above, however, the Com- 
mission does not have access to data necessary to provide a specific 
percentage for the global market in single-name CDS. 

With respect to the specific European requirements, reporting to 
trade repositories under the European Market Infrastructure Regu- 
lation (EMIR) began on Eebruary 12, 2014. EMIR also requires 
counterparties to clear OTC derivative contracts that belong to a 
class that the European Securities and Markets Authority (ESMA) 
has declared subject to the clearing obligation and that meet other 
specified criteria. We understand that ESMA is currently working 
on draft regulatory technical standards to determine the asset 
classes that will be subject to this clearing obligation, and that 
publication of draft standards is expected later this year. Legisla- 
tion currently under consideration in the EU is expected to address 
the EU’s commitment to require OTC derivatives to be traded on 
an organized trading platform. 

Q.l.d. What part of those markets are made up of foreign affiliates 
of U.S. persons? 

A.l.d. As noted above, the Commission does not have access to the 
type of comprehensive data about foreign security-based swap mar- 
ket participation that would be necessary to answer your specific 
question. Based on analysis of CDS transactions on U.S. underliers, 
however. Commission staff estimates that transactions in which 
one counterparty is either a foreign affiliate of a U.S. person or a 
foreign branch of a U.S. person (which is considered part of its U.S. 
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home office under the SEC’s cross-border proposal) constitute a ma- 
jority of transactions in CDS on U.S. underliers in foreign markets. 
As with the overall market for CDS on U.S. underliers, the staff 
estimates that vast majority of these transactions are with Euro- 
pean counterparties, and thus are, or are likely to be, subject to 
Title VII requirements, European requirements, or potentially 
both. 

Please also: 

Q.l.e. Set out what temporary exemptions your agencies have 
granted. 

A.l.e. In June 2011, the Commission provided guidance as to 
which of the requirements of Title VII of the Dodd-Frank Act would 
apply to security-based swap transactions as of the July 16, 2011 
effective date of Title VII, and granted temporary relief to market 
participants from compliance with certain of those requirements 
(Effective Date Order). ^ The Effective Date Order was intended to 
provide legal certainty and avoid unnecessary market disruption 
while the Commission completes the implementation of Title VII. 

The Commission also issued a temporary order and interim final 
rules that provided temporary exemptive relief from compliance 
with certain provisions of the Securities Act, the Exchange Act, and 
the Trust Indenture Act in connection with the revision of the defi- 
nition of “security” to encompass security-based swaps. ^ The tem- 
porary exemptions and interim final rules were directed toward 
maintaining the status quo while the Commission implemented 
Title VII and evaluated the implications under the Federal securi- 
ties laws of including security-based swaps in the definition of “se- 
curity.” 

The temporary order generally preserves the application of par- 
ticular Exchange Act requirements that were already applicable in 
connection with instruments that became “security-based swaps” 
following the effective date of the Dodd-Frank Act, but defers the 
applicability of additional Exchange Act requirements in connection 
with those instruments explicitly being defined as “securities.” 
More specifically, the Commission’s temporary order exempts cer- 
tain market participants who engage in security-based swap activi- 
ties from the application of the Exchange Act other than with re- 
spect to: (a) certain antifraud and anti-manipulation provisions, (b) 
all Exchange Act provisions related to security-based swaps added 
or amended by subtitle B of Title VII of the Dodd-Frank Act, in- 
cluding the amended definition of “security” in Section 3(a)(10), and 
(c) certain other Exchange Act provisions. 

The interim final rules temporarily exempt offers and sales of 
those security-based swaps that prior to the Title VII effective date 


^ See Temporary Exemptions and Other Temporary Relief, Together with Information on Com- 
pliance Dates for New Provisions of the Securities Exchange Act of 1934 Applicable to Security- 
Based Swaps, Exchange Act Release No. 34-34678 (Jun. 15, 2011), 76 FR 36287 (Jun. 22, 2011). 

2 Sec Order Granting Temporary Exemptions under the Securities Exchange Act of 1934 in 
Connection with the Pending Revisions of the Definition of “Security” to Encompass Security- 
Based Swaps, Exchange Act Release No. 64795 (Jul. 1, 2011), 76 FR 39927 (Jul. 7, 2011); Order 
Extending Temporary Exemptions under the Securities Exchange Act of 1934 in Connection 
with the Revision of the Definition of “Security” to Encompass Security-Based Swaps, and Re- 
quest for Comment, Exchange Act Release No. 71485 (Feb. 5, 2014), 79 FR 7731 (Feb. 10, 2014); 
Exemptions for Security-Based Swaps, Securities Act Release No. 9231 (Jul. 1, 2011), 76 FR 
40605 (Jul. 11, 2011); and Extension of Exemptions for Security-Based Swaps, Securities Act 
Release No. 9545 (Feb. 5, 2014), 79 FR 7570 (Feb. 10, 2014). 
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were security-based swap agreements from all provisions of the Se- 
curities Act (other than the Section 17(a) anti-fraud provisions), the 
Exchange Act registration requirements, and the provisions of the 
Trust Indenture Act, provided certain conditions are met. The ex- 
emptions apply only to security-based swaps entered into between 
eligible contract participants (as defined prior to the Title VII effec- 
tive date). 

Q.l.f. Explain your timeline and planning for ending those exemp- 
tions and accomplishing full implementation of the Dodd-Frank 
rules regarding the swaps markets? Please identify any barriers 
you see that could further slow that implementation. 

A.l.f. The temporary exemptions provided under the Effective Date 
Order generally are set to expire on the earliest compliance date 
set forth in the related security-based swap rulemaking under Title 
VII, although in certain cases the expiration is tied to another date, 
such as the effective date for the related security-based swap rules 
or the date a person becomes registered under related security- 
based swap rules. One of the temporary exemptions in the Effective 
Date Order extends until a date or dates to be specified by the 
Commission. The approach to this temporary exemption permits 
the Commission to specify an appropriate date or dates for expira- 
tion in the related security-based swap rulemakings. 

Similarly, under the temporary order, the exemptions under the 
Exchange Act that are related to pending security-based swap 
rulemakings are set to expire on the compliance date for the re- 
lated security-based swap rules. The temporary exemptions which 
are not directly linked to pending security-based swap rulemakings 
are set to expire on the earlier of such time as the Commission 
issues an order or rule determining whether any continuing exemp- 
tive relief is appropriate for security-based swap activities with re- 
spect to any of these Exchange Act provisions or until February 11, 
2017.3 

This approach for extending the exemptions related to security- 
based swap rulemakings is intended to facilitate a timely phased- 
in determination regarding the application of the relevant provi- 
sions of the Exchange Act to security-based swaps based on the de- 
velopment of the relevant rules mandated by the Dodd-Frank Act 
as the Commission moves toward finalizing those rules. This ap- 
proach also provides the Commission flexibility while Dodd-Frank 
Act rulemaking is still in progress to determine whether continuing 
relief should be provided for any Exchange Act provisions that are 
not directly linked to specific security-based swap rulemaking. 

The Commission is in the midst of rulemaking under the Dodd- 
Frank Act to provide a robust, comprehensive regulatory regime for 
security-based swaps. To date, the Commission has proposed all of 
the rules related to the new regulatory regime for derivatives 
under Title VII and has be^n the process of adopting these rules. 

At this point there is not immediately apparent any new barriers 
that could delay implementation. As you know, the Commission 


^The exemptions provided by the interim final rules will expire on February 11, 2017. How- 
ever, if the Commission adopts further rules relating to issues raised by the application of the 
Securities Act or the other Federal securities laws to security-based swaps before February 11, 
2017, the Commission may well determine to alter the expiration dates in the interim final rules 
as part of that rulemaking. 
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proposed the rules pertaining to the application of Title VII to 
cross-border security-based swap transactions and non-U.S. persons 
engaged in activities implicating Title VII. This was a critical part 
of the implementation process, given the overwhelmingly global na- 
ture of the market for security-based swaps. 

In addition, the staff is working on the next set of adoptions 
under Title VII. The Commission is likely to consider certain of the 
issues presented in the cross-border proposal in an initial cross-bor- 
der adopting release. Under such an approach, this initial cross- 
border adopting release would likely focus on adopting key defini- 
tions relevant to the application of Title VII in the cross-border 
context. Other matters raised in the cross-border proposal would be 
addressed in subsequent releases. Such an approach would allow 
the Commission to consider the cross-border application of the sub- 
stantive requirements imposed by Title VII in conjunction with the 
final rules that will implement those substantive requirements. In 
addition, as noted below in response to question 3, I expect the 
Commission to consider the application of mandatory clearing re- 
quirements to single-name credit default swaps, starting with those 
that were first cleared prior to the enactment of the Dodd-Frank 
Act. 

Q.2. In particular, at the hearing. Acting Chair Wetjen identified 
certain cross-border issues that may be near-term challenges — 
please explain clearly what those might be and why continued 
delays or further weakenings of U.S. standards would not continue 
to expose the U.S. to significant financial stability risks, including 
lack of transparent pricing in the swaps market. 

A.2. The swaps markets are predominantly global and, therefore, 
resolving cross-border issues appropriately is critical to successful 
regulatory reform of these markets. 

As I noted in my testimony, the Commission is actively reviewing 
public input on its cross-border proposal. The Commission also is 
working through the issues that were raised, including, among oth- 
ers, the appropriate treatment of foreign affiliates of U.S. persons 
and how conduct by a non-U.S. person in the United States engag- 
ing in security-based swap transactions with another non-U.S. per- 
son should impact the application of Title VII requirements. 

In addressing these and other issues both in the cross-border 
area and more generally as we continue to adopt final rules and 
take other actions to implement Title VII, I continue to believe that 
we should take a robust and workable approach. 

Q.3. Finally, can you share any plans for further speeding coordi- 
nated implementation. For example, shouldn’t the SEC encourage 
single-name CDS to be cleared and traded through CFTC-reg- 
istered clearinghouses and SEFs in the interim before SEC rules 
are finalized and implemented? 

A.3. Since the Dodd-Frank Act was enacted, the staffs of the Com- 
mission and the CFTC have consulted and coordinated with each 
other regularly in the development and implementation of our re- 
spective rules, and we continue to do so. 

My immediate goal is to continue the finalization of the rules re- 
quired by Title VII for the security-based swaps market. In the in- 
terim, I would emphasize that single-name CDS are already being 
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cleared at SEC-registered clearing agencies under existing SEC 
rules. With respect to trading of security-based swaps, so long as 
market participants comply with applicable Federal securities laws, 
the SEC does not prohibit trading on CFTC-registered SEFs. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM 

MARY JO WHITE 

Q.l. FSOC has been in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
teria followed, as well as the implications and process to be fol- 
lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.l. While I cannot speak for the Financial Stability Oversight 
Council, as a voting member of FSOC I believe it is important for 
FSOC to be mindful of calls for greater transparency and provide 
ways for the public and other interested parties to have greater in- 
sight and input into issues concerning U.S. financial stability. One 
opportunity for FSOC to provide greater public exposure is through 
the upcoming Public Asset Manager Conference that FSOC plans 
to host on May 19, 2014. The Conference will enable the staffs of 
the member agencies to hear directly from the asset management 
industry and other stakeholders, including academics and public 
interest groups. In addition, the Conference will be Web cast live 
so that it can be viewed by members of the public. I am hopeful 
that FSOC will look for additional similar vehicles to promote pub- 
lic exposure and input to its work. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to recognize losses of almost $8 billion 
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driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. SEC staff, together with staffs of the other agencies, has spent 
considerable time carefully evaluating the concerns raised post- 
adoption by several trade groups and industry participants about 
CLOs. The final rule provides an exclusion for CLOs that hold 
loans and, in connection with such loans, may also hold certain in- 
terest rate or foreign exchange derivatives, cash equivalents, and 
assets related to holding loans or the servicing or timely distribu- 
tion of proceeds to security holders. Ownership interests in loan 
securitizations that fit within this exclusion as of the conformance 
date may be held by banking entities. In the adopting release, how- 
ever, the agencies did not expand the definition of excluded loan 
securitizations to securitizations holding both loans and securities, 
noting that such an expansion would not be consistent with the 
provision of the statute that specifically only permitted the “sale 
and securitization of loans” by banking entities. In light of these 
concerns, the Federal Reserve Board, after consulting with the 
staffs of the other agencies, recently announced that it intends to 
exercise its authority to give banking entities two additional 1-year 
extensions to conform their ownership interests in and sponsorship 
of certain CLOs. 

It is also worth noting that new CLO issuances have been com- 
parable in volume to the CLOs issued prior to the adoption of the 
final rule, and market participants have represented that new 
CLOs are conforming to the loan securitization exclusion under the 
Volcker Rule. 

Q.3. When Director Berner testified before the Economic Policy 
Subcommittee in January 2014, he emphasized that OFR’s report 
on the asset management industry study focused on activities of 
asset managers, rather than asset management firms. This is more 
appropriate because the size of an asset manager’s assets under 
management, which are wholly owned by a fund’s investors, doesn’t 
make that manager a systemic risk. If activities are the main 
focus, then section 120 of the Dodd-Frank Act suggests that the 
primary regulator — in this case the SEC, is the appropriate agency 
to address these issues. So, when can we expect the SEC and its 
expertise to be brought to bear by the FSOC? The current bank 
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centric approach to reviewing asset managers simply isn’t produc- 
tive. 

A.3. SEC staff is actively engaging with representatives of other 
FSOC members in any analysis of potential financial stability risks 
posed by asset managers or asset management activities and is 
sharing its expertise on asset management and the ways in which 
asset management activities differ from banking activities. Sepa- 
rately, the SEC is enhancing its own risk monitoring and oversight 
efforts with respect to asset managers. Pursuant to Section 965 of 
the Dodd-Frank Act, the SEC has established a new risk and ex- 
aminations office (REO) for asset managers. REO monitors trends 
in the asset management industry and is also assisting in a larger 
Commission-wide initiative to obtain and analyze data consistent 
with market trends and operational integrity issues, inform policy 
and rulemaking, and assist the staff in examinations of registrants. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM MARK P. WET JEN 

Q.l. When a data breach happens at a merchant level. Federal 
banking regulators generally do not have jurisdiction to investigate 
and tak^e action. However, collateral consequences of such breaches 
are that regulated financial institutions are impacted and face 
reputational and financial setbacks as a result. What are your ex- 
pectations for the regulated entities when a breach occurs at a 
third party? What are some of the challenges financial institutions 
face as a result of the breach? How can those challenges be ad- 
dressed while minimizing consequences of, and cost for, affected fi- 
nancial institutions? 

A.l. The U.S. Commodity Futures Trading Commission (“Commis- 
sion” or “CFTC”) oversees a variety of registrants for which data 
breaches, either in their own systems or third-party systems, can 
have serious consequences. In general, the Commission expects its 
registrants to consider the risks of data breaches and address them 
appropriately. The actual requirements vary by registrant. 

Commission Regulation 39.18 requires each registered deriva- 
tives clearing organization (“DCO”) to establish and maintain a 
program of risk analysis and oversight with respect to its oper- 
ations and automated systems which must include a risk analysis 
and oversight of information security. The DCO also is required to 
establish and maintain resources that allow for the fulfillment of 
each of its obligations in light of any identified risks. The Commis- 
sion expects a DCO’s information security risk analysis to include 
an analysis of any such risk posed by a third party providing serv- 
ices to the DCO. It also expects the DCO to maintain sufficient re- 
sources to allow for the fulfillment of the DCO’s obligations in light 
of such risks and to provide the necessary oversight to manage 
them. 

In addition. Commission Regulation 39.18 requires a DCO to no- 
tify the Commission’s Division of Clearing and Risk (“DCR”) 
promptly in the event of any hardware or software malfunction, 
cyber security incident or targeted threat that materially impairs, 
or creates a significant likelihood of material impairment of auto- 
mated system operation, reliability, security, or capacity. A DCO 
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would be required to notify DCR of relevant data breaches involv- 
ing a DCO’s third-party service provider pursuant to this provision. 
We further note that Section 807(b) of the Dodd-Frank Wall Street 
Reform and Consumer Protection Act (“Dodd-Frank”) provides the 
Commission with additional authority with respect to third-party 
services provided to a DCO that has been designated as system- 
ically important by the Financial Stability Oversight Council (a 
“SIDCO”). Specifically, whenever a service integral to the operation 
of a SIDCO is performed for the SIDCO by another entity, the 
Commission is authorized to examine whether the provision of that 
service is in compliance with applicable law, rules, orders and 
standards to the same extent as if the SIDCO was performing the 
service on its own premises. 

Commission Regulations §§ 38.1050 (DCMs), 37.1400 (SEFs), and 
49.24 (SDRs) require each registered DCM, SEF, or SDR to estab- 
lish and maintain a program of risk analysis and oversight with re- 
spect to its operations and automated systems. This program must 
include risk analysis and oversight of cyber and information secu- 
rity. These registered entities are also required to establish and 
maintain resources that allow for the fulfillment of their regulatory 
obligations. The Commission expects DCM, SEF, and SDR analysis 
of information security risks to include analysis of risk relating to 
third parties providing services to them. 

If a third party that performs services for a DCM, SEF, or SDR 
is compromised or loses data for which the DCM, SEF, or SDR is 
responsible, DM0 would have oversight concerns. One example 
might be a data storage provider losing trade data in long-term 
storage that might be needed for a DM0 examination or a DOE in- 
vestigation. Another example might be loss of login credentials due 
to a security compromise, such as the one that occurred a year or 
two ago with respect to two-factor authentication provided by RSA. 
Still another example could be a security breach at a third-party 
data center used by a DCM, SEF, or SDR. 

If a third-party providing services to a DCM, SEF, or SDR were 
compromised in a way that affected the regulatory responsibilities 
of the DCM, SEF, or SDR, CFTC rules would require the registrant 
to notify DM0 immediately concerning the potential data loss and 
the extent of the breach, and to notify affected parties as appro- 
priate based on the circumstances and the type and extent of infor- 
mation lost. 

Challenges that could be faced in such situations might include 
the incomplete nature of available information; the possible recal- 
citrance of the third-party provider; or legal issues relating to con- 
tracts or service agreements. DM0 would advise registrants to ad- 
dress such challenges by seeking to employ reputable third parties 
that have significant experience, appropriate controls, and effective 
security measures. 

Futures Commodity Merchants (“FCMs”) and Registered Foreign 
Exchange Dealers (“RFEDs”), along with maintaining their cus- 
tomer’s trade and account data, also process credit and debit card 
payments as a source of funds for initial and variation margin, so 
they are also reliant upon third-party payment systems. A data 
breach of either their own systems or a third-party payment sys- 
tem could lead to customers’ private and proprietary information 
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being compromised. This makes it important for FCMs and RFEDs 
to monitor their systems and trading activity and be alert for 
fraudulent activity that might result from compromised customer 
accounts. For FCMs/RFEDs the biggest challenge is identifying a 
breach and then evaluating how to recover funds for any unauthor- 
ized transactions. Without proper anti-money laundering or know 
your customer controls, the funds could have been laundered al- 
ready or there may be a need to liquidate transactions at a loss to 
the FCM or RFED. While most likely the risk of loss is with the 
card issuer, if substantial, the FCM or RFED may have to cover 
the loss until funds are received from the card issuer which may 
take time. 

Q.2. At the Subcommittee hearing on data security and breach held 
on February 3, 2014, Members learned that the payment networks 
have set an October 2015 timeframe for moving industry partici- 
pants to adoption of new, more secure payment technology. Can 
you discuss how quickly your regulated entities are moving to this 
technology, and identify some of the obstacles that still exist? 

A.2. The Commission does not have a role in regulating specific 
payment systems or technologies. However, as noted above, the 
Commission does expect registrants to address risks associated 
with payment systems. 

Q.3. In July of 2013, I requested that the Government Account- 
ability Office (GAO) review the SIFI designation process at FSOC 
for both transparency and clarity, and to examine the criteria used 
to designate companies as SIFIs. Would you all be willing to sup- 
port more reliance on measurable metrics in FSOC’s designation 
process? 

A.3. I am always open to considering how improvements to objec- 
tive metrics could aid the FSOC in its designation process. 

Q.4. Since the final Volcker rule was issued in December, the af- 
fected entities have recognized two issues with the final rule 
(TruPS CDOs and CLOs). What other issues with the final Volcker 
rule are your agencies aware of that may be raised by affected enti- 
ties? How do you intend to coordinate efforts on clarifying such 
issues in the future? 

A.4. The Commission participates in an interagency working group 
with the other agencies charged with implementing the Volcker 
Rule. The interagency group holds weekly conference calls to dis- 
cuss ongoing implementation issues, and the group coordinates re- 
sponses to queries from industry and Congress. The group meets 
regularly with trade groups and industry to better understand and 
address concerns related to implementation. The agencies have also 
formed several subgroups devoted to issues such as metrics report- 
ing and examinations that hold regular conference calls and coordi- 
nate on guidance documents. 

Q.5. How do you plan to coordinate with other agencies regarding 
enforcement matters and the final Volcker rule, given that your 
agencies have varied jurisdictions? 

A.5. As with any enforcement matter, the Commission places a 
high priority on promoting coordination of enforcement efforts with 
other law enforcement agencies to address Commodity Exchange 
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Act violations and other related financial wrongdoing. The Commis- 
sion participates in over 20 regional, national and international fi- 
nancial fraud enforcement working groups comprised of Federal, 
State, and local and criminal and civil authorities. The Commis- 
sion’s participation in these groups provides an opportunity to 
share information on cooperative enforcement matters and to co- 
ordinate joint civil and criminal Federal and/or State prosecutions. 
The Commission also meets regularly with various agencies to co- 
ordinate enforcement efforts and leverage resources, including the 
Department of Justice Criminal Division, Department of Homeland 
Security, Department of Treasury, Federal Bureau of Investigation, 
Federal Reserve, Federal Trade Commission, Internal Revenue 
Service, Securities and Exchange Commission, and U.S. Attorney’s 
Offices nationwide. 

As noted above, the Commission regularly meets with the other 
agencies charged with implementing the Volcker Rule to discuss 
issues related to implementation, including enforcement. The com- 
pliance period for the Volcker Rule goes into effect in July 2015, 
subject to further possible extensions by the Federal Reserve Bank. 
Going forward, as we near the date implementation, the Commis- 
sion will continue its robust interagency coordination on matters 
relating to Volcker Rule monitoring and enforcement. 

Q.6. I am concerned that the CFTC moved too quickly in imple- 
menting the bulk of its Title VII mandates and that we are just 
starting to see the unintended consequences of such hasty action. 
Considerable numbers of no-action letters and interpretive guid- 
ance have followed CFTC rulemakings, leading to market disrup- 
tion and uncertainty. Do you agree that more could have been done 
to consider the implications of rules prior to their adoption, thereby 
reducing the need for no-action and interpretive relief after the 
fact? Going forward, what are some things the CFTC should con- 
sider to remedy the issues with its rulemaking process? 

A.6. Congress set an ambitious deadline for the Commission to 
complete implementation of Dodd-Frank within a year of enact- 
ment of the legislation. As Acting Chair, and previously as a Com- 
missioner, in helping implement Dodd-Frank I have worked to be 
faithful to Congress’ mandate while also carefully considering input 
from the public and working closely with domestic and inter- 
national regulators. 

Nonetheless, where appropriate, the Commission should deter- 
mine whether course corrections in its implementation of Dodd- 
Frank are necessary. For example. Congress made clear that end 
users were intended to be exempt from Dodd-Frank, yet the end- 
user community has expressed concerns about compliance issues it 
faces under Dodd-Frank. As Acting Chair, I held two public 
roundtables to consider the regulatory issues facing end users 
under Dodd-Frank. The first roundtable focused on rule 1.35 rec- 
ordkeeping requirements, the regulatory treatment of forward con- 
tracts with embedded volumetric optionality, and the treatment of 
swap dealing to Government-owned electric utilities. The second 
roundtable addressed issues related to the position limits proposal, 
including hedges of physical commodities, the setting of spot month 
limits, and aggregation. Based on comments received at the first 
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roundtable, I acted by directing staff to provide relief to end users 
under rule 1.35 relating to certain recordkeeping requirements. ^ 
Further, I also directed staff to provide no-action relief to utility 
special entities entering into swaps ^ and, subsequently, the Com- 
mission released for public comment a proposal to provide more 
permanent for such entities.^ 

Going forward, the Commission must continue to work closely 
with Congress, the public, and market participants to achieve the 
proper balance of appropriate regulation while ensuring that these 
markets continue to facilitate job creation and the growth of the 
economy by providing a means for managing risk, facilitating price 
discovery, and broadly disseminating pricing information. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY 
FROM MARK P. WET JEN 

I greatly appreciate the SEC and CFTC’s efforts in implementing 
key features of Dodd-Frank’s swaps reforms. However, I am very 
concerned about the number and significance of exemptions and no- 
action letters granted by the CFTC and the SEC’s delay in final- 
izing the rules. While I appreciate the CFTC’s commitment to 
working closely with stakeholders and allowing them an adequate 
opportunity to come into compliance, I am concerned that any addi- 
tional delays would be unreasonably exposing Americans to sys- 
temic risks and losing invaluable momentum in the effort to build 
a more stable financial system. 

Could you please lay out as of the date of this hearing: 

Q.l.a. What percentage of U.S. swaps markets, broken down by 
swap-type, have been subject to Title VII requirements for clearing. 
Swap Execution Facility (SEF)-trading, and reporting? 

A.l.a. Commission staff are working to determine these estimates. 
For those asset classes that are subject to the clearing determina- 
tion and trade execution mandate, unfortunately, the Commission 
faces challenges in accurately assessing all the relevant details of 
specific transactions due to constraints on resources and data qual- 
ity issues. 

To do its job, the Commission must have accurate data in order 
to have a clear picture of swaps market activity. To help resolve 
the challenges the Commission faces in assessing swap data, ear- 
lier this year, I was joined by my fellow commissioners in announc- 
ing the formation of an interdivisional Working Group to review 
the Commission’s swaps transaction data recordkeeping and report- 
ing provisions. The working group formulated and recommended 
questions for public comment regarding, among other things, com- 


^Time-Limited No-Action Relief for Members of Designated Contract Markets and Swap Exe- 
cution Facilities that Are Not Registered with the Commission from the Requirement to Record 
Written Communications, Pursuant to Commission Regulation 1.35(a), in Connection with the 
Execution of a Transaction in a Commodity Interest and Related Cash or Forward Transactions 
(May 22, 2014), available at http:! I www.cftc.gov I ucm I groups I public I @lrlettergeneral / docu- 
ments I letter I 14-72.pdf. 

2 Staff No-Action Relief: Revised Relief from the De Minimis Threshold for CertainSwaps with 
Utility Special Entities (March 21, 2014), available at http:! ! www.cftc.gov ! ucm ! groups ! public ! 
@lrlettergeneral / documents / letter ] 14-34.pdf 

^ Exclusion of Utility Operations-Related Swaps with Utility Special Entities from De Minimis 
Threshold for Swaps with Special Entities, available at http: U www.cftc.gov ! ucm! groups ! pub- 
lic / @newsroom / documents ! file ! federalregister052214-al.pdf. 
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pliance with part 45 reporting rules, and related provisions, and 
consistency in regulatory reporting among market participants. 

The Working Group is currently reviewing all comments that 
were submitted in response to the request and will be making rec- 
ommendations to the Commission in the near future. 

Q.l.b. What percentage of the global swaps market, broken down 
by swap-type, has been subject to Title Vll-like requirements for 
clearing, SEF-trading, and reporting? 

A.l.b. Currently, the data required for this request is unavailable, 
primarily, because many other jurisdictions have yet to implement 
transaction reporting requirements. Most foreign jurisdictions have 
lagged the United States in finalizing reporting and transactions 
requirements for swaps. Moreover, even in those jurisdictions 
where reporting rules have been finalized, there is a lack of harmo- 
nization of data reporting standards across jurisdictions. The Fi- 
nancial Stability Board, of which we are a member, has set up a 
task force to address these and other issues related to global data 
harmonization. Additionally, please see the response to the pre- 
vious question regarding efforts to improve data collection and 
analysis. 

Q.l.c. How much will that percentage change when Europe final- 
izes its rules? 

A.I.C. As noted above, the data required to determine the percent- 
age of swaps subject to clearing determination and trade execution 
mandates is still unclear. As such, we are unable to determine this 
percentage. 

Q.l.d. What part of those markets is made up of foreign affiliates 
of U.S. persons? 

A.l.d. Foreign affiliates that are not U.S. persons that are engaged 
in swaps trading activity in the EU or other foreign jurisdictions 
are not required to report their swaps activities to the Commission. 
Moreover, the Commission does not have access to data reported to 
European Swap Data Repositories. As a result, the Commission 
does not have data on the activities of such affiliates. For those for- 
eign affiliates that are U.S. persons, because of data quality issues, 
the Commission does not have the capability to differentiate be- 
tween foreign and local affiliates of U.S. persons when assessing 
the data. As indicated, efforts are underway to improve data anal- 
ysis capabilities at the Commission. 

Please also: 

Q.l.e. Set out what temporary exemptions your agencies have 
granted. 

A.l.e. The Commission maintains on its Web site a list of currently 
effective staff no-action letters related to rules issued under Dodd- 
Frank. That list can be found at: http: ! I www.cftc.gov ! 
LawRegulation I DoddFrankAct I ExpiredNoAction I index.htm. 

Q.l.f. Explain your timeline and planning for ending those exemp- 
tions and accomplishing full implementation of the Dodd-Frank 
rules regarding the swaps markets? Please identify any barriers 
you see that could further slow that implementation. 
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A.l.f. Staff no-action letters are typically time-limited and tem- 
porary, although not always. The expiration of time-limited no-ac- 
tion letters differs depending on rule implementation timing and 
discussions with market participants, the public, and domestic and 
international regulators. 

I firmly believe that timely, full implementation of Dodd-Frank 
is essential to ensuring that the derivatives markets are subject to 
appropriate governmental oversight. In undertaking the implemen- 
tation of these changes, as Acting Chair, I have also endeavored to 
ensure that these regulatory changes do not cause unnecessary, po- 
tentially harmful disruption of the derivatives markets that so 
many market participants rely on to manage risk. 

Q.2. In particular, at the hearing. Acting Chair Wetjen identified 
certain cross-border issues that may be near-term challenges — 
please explain clearly what those might be and why continued 
delays or further weakening of U.S. standards would not continue 
to expose the U.S. to significant financial stability risks, including 
lack of transparent pricing in the swaps market. 

A.2. I believe that the CFTC took the correct approach in adopting 
cross-border policies that account for the varied ways that risk can 
be imported into the U.S. At the same time, the CFTC’s policies 
tried to respect the limits of U.S. law and the resource constraints 
of U.S. and global regulators. Attempts to weaken Dodd-Frank 
have not been contemplated or planned. 

In an effort to strengthen our cross-border policies and promote 
effective global oversight, the Commission is coordinating closely 
with foreign regulators. Last December, the CFTC approved a se- 
ries of determinations allowing non-U. S. swap dealers and MSPs to 
comply with Dodd-Frank by relying on comparable and comprehen- 
sive home country regulations, otherwise known as “substituted 
compliance.” Those approvals by the CFTC reflected a collaborative 
effort with authorities and market participants from each of the six 
jurisdictions with provisionally registered swap dealers. Working 
closely with authorities in Australia, Canada, the European Union 
(“EU”), Hong Kong, Japan, and Switzerland, the CETC issued com- 
parability determinations for a broad range of entity-level require- 
ments. In two jurisdictions, the EU and Japan, the CETC also 
issued comparability determinations for certain transaction-level 
requirements. 

It appears at this time that the substituted compliance approach 
has had success in supporting financial reform efforts around the 
globe and a “race-to-the-top” in global derivatives regulation. Eor 
example, the EU agreed on updated rules for markets in financial 
derivatives, the Markets in Einancial Instruments Directive II 
(“MiEiD 11”), reflecting great progress on derivatives reform. Other 
jurisdictions that host a substantial market for swap activity are 
still working on their reforms, and certainly will be informed by 
the EU’s work and the CETC’s ongoing coordination with foreign 
regulators. As jurisdictions outside the U.S. continue to strengthen 
their regulatory regimes and meet their G20 commitments, the 
CETC may determine that additional foreign regulatory require- 
ments are comparable to and as comprehensive as certain require- 
ments under Dodd-Erank. 
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The CFTC also has made great progress with the European Com- 
mission since the issuance of the Path Forward statement, and we 
are actively working with the Europeans to ensure that har- 
monized regulations on the two continents ensure financial sta- 
bility and promote sound risk management. Fragmented liquidity, 
and the regulatory and financial arbitrage that both drives and fol- 
lows it, can lead to increased operational costs and risks as entities 
structure around the rules in primary swap markets. Harmonizing 
regulations governing clearinghouses and trading venues, in par- 
ticular, is critical to sound and efficient market structure. 

Lastly, in light of the CFTC’s swaps authority, and the complex- 
ities of implementing a global regulatory regime, the CFTC is 
working with numerous foreign authorities to negotiate and sign 
supervisory arrangements that address regulator-to-regulator co- 
operation and information sharing in a supervisory context. We 
currently are negotiating such arrangements with respect to swap 
dealers and MSPs, SDRs, SEFs, and derivatives clearing organiza- 
tions. 

Q.3. Finally, can you share any plans for further speeding coordi- 
nated implementation. For example, shouldn’t the SEC encourage 
single-name CDS to be cleared and traded through CFTC-reg- 
istered clearinghouses and SEFs in the interim before SEC rules 
are finalized and implemented? 

A.3. Generally, clearing and mandatory trading can be helpful risk- 
reducing and competitive enhancements in liquid markets. Because 
single-name CDS fall under the jurisdiction of the SEC, the CFTC 
has no authority to mandate the clearing and mandatory trading 
of single-name CDS on CFTC-registered clearinghouses and SEFs. 
However, to encourage the clearing of CDS transactions, both the 
CFTC and SEC have approved the portfolio margining of single- 
name and index CDS. The SEC has required as a condition to port- 
folio margining for single-name and index CDS that their reg- 
istrants submit their customer margin models for SEC approval. 
The first of these approvals were granted earlier this year. We will 
continue to monitor market data to see whether these recent ap- 
provals have resulted in increased clearing for single-name and 
index CDS. 

The CFTC regularly coordinates with the Securities and Ex- 
change Commission (“SEC”) at the staff and Commissioner level re- 
garding the implementation of Dodd-Frank. As the SEC continues 
with its implementation of its rules under Dodd-Frank, I am al- 
ways willing to consider regulatory coordination that will enhance 
the safety and competitiveness of the markets we oversee. 


RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM 

MARK P. WET JEN 

Q.l. FSOC has been in existence for more than 3 years. Since that 
time, three companies have been deemed systemically significant 
and a second round of companies appear to be under consideration. 
Despite the numerous calls from Congress, a number of industry 
and consumer groups and even the GAO for the FSOC to provide 
greater transparency about the process used for designation, (in- 
cluding the metrics OFR should measure in their analysis), the cri- 
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teria followed, as well as the implications and process to be fol- 
lowed after a firm has been designated a SIFI. Can you provide 
greater details on why more transparency has not been achieved 
and how the FSOC plans to improve these issues? 

A.l. The Financial Stability Oversight Council (Council), of which 
I am member, has provided public transparency for the nonbank 
designations process through several measures. The Council volun- 
tarily published a rule and guidance outlining how it would imple- 
ment the statutory designation provisions and review firms for po- 
tential designation. For each of the three nonbank designations 
made so far, the Council provided the basis for those designations 
to Congress and the public. 

During the development of the Council’s rule and guidance on 
nonbank designations, the Council, even though not required to do 
a rulemaking, provided multiple opportunities for public comment. 
The public guidance described the designation process and set forth 
the quantitative metrics that the Council would use in its consider- 
ation of firms for designation. 

Under the rule and guidance, firms under review are provided 
with opportunities at each stage of the process to engage with the 
Council. Early in the process, the Council provides the company 
with a notice that it is under consideration and an opportunity to 
submit materials to contest the Council’s consideration. Following 
this, before any designation is proposed, there are numerous meet- 
ings between Council staff and the company and opportunities for 
the company to submit additional information for the Council’s con- 
sideration. Following a proposed designation determination by the 
Council, the Council provides the company the written basis for the 
proposed designation and provides the firm the opportunity for a 
hearing. Once a final designation is made, the company designated 
can seek judicial review of that designation. The designation rules 
and guidance provide for an annual review of all nonbank designa- 
tions where the designated companies may again participate. 

Due to the preliminary nature of the Council’s evaluation of any 
nonbank financial company prior to a final designation and the po- 
tential for market participants to misinterpret such an announce- 
ment, the Council does not publicly announce the name of any com- 
pany that is under review prior to a final designation of the com- 
pany. 

Q.2. I, along with a number of other Republicans, introduced legis- 
lation to fix an unintended consequence on collateralized debt obli- 
gations (CDOs). In their January 13th interim final rule, regulators 
crafted a rule that largely mirrored what my bill sought to do; pro- 
vide relief to a majority of community banks. While we appreciate 
the agencies’ efforts on this issue, one issue that we included in our 
legislation that the regulators did not address was collateralized 
loan obligations (CLOs). The CLO market provides about $300 bil- 
lion in financing to U.S. companies and U.S. banks currently hold 
between $70 and $80 billion of senior notes issued by existing 
CLOs and foreign banks subject to the Volcker Rule hold about an- 
other $60 billion. Because the final rules implementing the Volcker 
Rule improperly treat these debt securities as “ownership inter- 
ests”, the banks holding these notes will either have to divest or 
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restructure these securities. Because restructuring well over $130 
billion of CLO securities is neither feasible nor under the control 
of the banks holding these notes, divestment is the most likely re- 
sult. This, in turn, could lead to a fire sale scenario that could put 
incredible downward pressure on CLO securities prices leading to 
significant losses for U.S. banks. If prices decline by only 10 per- 
cent, U.S. banks would have to reco^ize losses of almost $8 billion 
driven not by the underlying securities but solely because of the 
overreach of the Volcker Rule. Indeed, the final rules are already 
wreaking havoc on the CLO market. Since the final rules were an- 
nounced, new CLO formation was down nearly 90 percent in Janu- 
ary 2014, the lowest issuance in 23 months. If this situation is not 
remedied and CLO issuance remains moribund, corporate bor- 
rowers could face higher credit costs. At the hearing of the House 
Financial Services Committee on January 15, 2014, a number of 
both Democrats and Republicans asked questions about how to fix 
the issue with the CLO market that was not addressed in the in- 
terim final rule released on January 13, 2014. The representatives 
of the agencies noted that the CLO issue was at the top of the list 
of matters to be considered by the inter-agency working group that 
has been established to review issues such as this and publish 
guidance. The issue is urgent. Bank CFOs are struggling with how 
to treat their CLO debt securities. Can you commit to a tight time- 
frame to issue guidance on CLOs? 

A.2. On April 7, 2014, the Federal Reserve Board of Governors 
(FRB) exercised its authority to allow banking entities two addi- 
tional 1-year extensions to conform their ownership interests in 
and sponsorship of certain collateralized loan obligations (CLOs) 
covered by section 619 of Dodd-Frank. We expect this will allow in- 
dustry time to come into compliance with the Volcker require- 
ments. 



